Re: ISC BIND 9 breakage?

[Clayton Zekelman <clayton () MNSi Net>]

Was it a "glitch" or someone just plain old forgot to do it?



At 02:29 AM 26/03/2020, Mark Andrews wrote:
> It was a glitch with the re-signing of the zone. There should be a official
> report sometime tomorrow.  That said "dnssec-lookaside auto;" has been a no-op
> in BIND since BIND 9.9.12, BIND 9.10.7, BIND 9.11.3 and a fatal configuration
> error as of BIND 9.12.0.  We didn’t want the 
> DLV lookup traffic and provides no
> benefit as the zone has been empty since 2017.
>
> If you have dnssec-lookaside configured in 
> named.conf please remove it otherwise
> the DLV code in the validator has to 
> cryptographically prove that DLV records don’t
> exist before returning that the response is 
> insecure.  That requires talking to the
> servers for dlv.isc.org.  It does this every 
> hour for a active validating resolver
> that is still running DNSSEC lookaside validation.
>
> Mark
>
> > On 26 Mar 2020, at 04:18, Drew Weaver <drew.weaver () thenap com> wrote:
> >
> > Did anyone else on CentOS 6 just have some DNS resolvers totally fall over?
> >
> > I noticed that this command: dnssec-lookaside 
> auto; was causing the issue. The issue occurred right at about 1PM EST.
> >
> > I see this note in the ISC key file..
> >
> > # ISC DLV: See https://www.isc.org/solutions/dlv for details.
> >         #
> >         # NOTE: The ISC DLV zone is being phased out as of February 2017;
> >         # the key will remain in place but 
> the zone will be otherwise empty.
> >         # Configuring "dnssec-lookaside auto;" to activate this key is
> >         # harmless, but is no longer useful and is not recommended.
> >
> > It’s not harmless anymore.
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka () isc org

--

Clayton Zekelman
Managed Network Systems Inc. (MNSi)
3363 Tecumseh Rd. E
Windsor, Ontario
N8W 1H4

tel. 519-985-8410
fax. 519-985-8409