nanog mailing list archives
Re: ISC BIND 9 breakage?
From: Clayton Zekelman <clayton () MNSi Net>
Date: Thu, 26 Mar 2020 05:49:07 -0400
Was it a "glitch" or someone just plain old forgot to do it? At 02:29 AM 26/03/2020, Mark Andrews wrote:
It was a glitch with the re-signing of the zone. There should be a official report sometime tomorrow. That said "dnssec-lookaside auto;" has been a no-op in BIND since BIND 9.9.12, BIND 9.10.7, BIND 9.11.3 and a fatal configurationerror as of BIND 9.12.0. We didnât want the DLV lookup traffic and provides nobenefit as the zone has been empty since 2017.If you have dnssec-lookaside configured in named.conf please remove it otherwise the DLV code in the validator has to cryptographically prove that DLV records donât exist before returning that the response is insecure. That requires talking to the servers for dlv.isc.org. It does this every hour for a active validating resolverthat is still running DNSSEC lookaside validation. Mark > On 26 Mar 2020, at 04:18, Drew Weaver <drew.weaver () thenap com> wrote: > > Did anyone else on CentOS 6 just have some DNS resolvers totally fall over? >> I noticed that this command: dnssec-lookaside auto; was causing the issue. The issue occurred right at about 1PM EST.> > I see this note in the ISC key file.. > > # ISC DLV: See https://www.isc.org/solutions/dlv for details. > # > # NOTE: The ISC DLV zone is being phased out as of February 2017;> # the key will remain in place but the zone will be otherwise empty.> # Configuring "dnssec-lookaside auto;" to activate this key is > # harmless, but is no longer useful and is not recommended. > > Itâs not harmless anymore. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
-- Clayton Zekelman Managed Network Systems Inc. (MNSi) 3363 Tecumseh Rd. E Windsor, Ontario N8W 1H4 tel. 519-985-8410fax. 519-985-8409
Current thread:
- Re: ISC BIND 9 breakage?, (continued)
- Re: ISC BIND 9 breakage? Nick Hilliard (Mar 25)
- RE: ISC BIND 9 breakage? Drew Weaver (Mar 25)
- Re: ISC BIND 9 breakage? Mark Tinka (Mar 31)
- Re: ISC BIND 9 breakage? Stephane Bortzmeyer (Mar 25)
- RE: ISC BIND 9 breakage? Drew Weaver (Mar 25)
- Re: ISC BIND 9 breakage? Owen DeLong (Mar 25)
- RE: ISC BIND 9 breakage? Drew Weaver (Mar 25)
- Re: [EXT] ISC BIND 9 breakage? Chuck Anderson (Mar 25)
- RE: [EXT] ISC BIND 9 breakage? Drew Weaver (Mar 25)
- Re: [EXT] ISC BIND 9 breakage? Ray Bellis (Mar 26)
- RE: [EXT] ISC BIND 9 breakage? Drew Weaver (Mar 25)
- Re: ISC BIND 9 breakage? Mark Andrews (Mar 25)
- Re: ISC BIND 9 breakage? Clayton Zekelman (Mar 26)
- Re: ISC BIND 9 breakage? Nick Hilliard (Mar 26)
- Re: ISC BIND 9 breakage? Mike Lewinski (Mar 26)
- Re: ISC BIND 9 breakage? Clayton Zekelman (Mar 26)
- Re: ISC BIND 9 breakage? Ray Bellis (Mar 26)
- Re: ISC BIND 9 breakage? Nick Hilliard (Mar 25)