[dns-operations] DNSSEC, DLV, and delegation-only

Michael Graff michael_graff at isc.org
Thu May 14 18:46:07 UTC 2009

Hash: SHA1

- From traffic on this list and ISC's investigation into various issues
surrounding DLV and TLDs, we have found some interaction between
delegation-only and DNSSEC.  For those using DLV, disabling DLV made the
problem vanish only if you had no trust anchor for the other domains
(.gov and .se were mentioned) -- but the problem appears if the anchor
was DLV provided or statically configured.

The specific problem is that delegation-only converts certain queries
into NXDOMAIN.  One of these appears to be the DS query for a TLD that
is believed to be delegation only.

For currently released versions of BIND, you should choose
delegation-only for those domains not DNSSEC-signed, or you should chose
to not use DNSSEC.

In all of my test cases, having both DNSSEC and delegation-only
configured caused erratic behavior with .gov and total failure with .se.
 Removing delegation-only and restarting the server caused all my tests
to once again succeed.

Note that with root-delegation-only enabled, even without DNSSEC and
even specifying "se" in an exclude list, certain queries fail, such as
the query for "a.ns.se. A"

	# dig a.ns.se

	; <<>> DiG 9.5.0 <<>> a.ns.se
	;; global options:  printcmd
	;; connection timed out; no servers could be reached

Removing the root-delegation-only option from named.conf causes the
above dig to work correctly, including DNSSEC validation.

delegation-only can be specified in several ways.  For more information,
please see https://www.isc.org/node/355, which discusses these options.

- --Michael
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the dns-operations mailing list