[dns-operations] DNSSEC, DLV, and delegation-only
Michael Graff
michael_graff at isc.org
Thu May 14 18:46:07 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- From traffic on this list and ISC's investigation into various issues
surrounding DLV and TLDs, we have found some interaction between
delegation-only and DNSSEC. For those using DLV, disabling DLV made the
problem vanish only if you had no trust anchor for the other domains
(.gov and .se were mentioned) -- but the problem appears if the anchor
was DLV provided or statically configured.
The specific problem is that delegation-only converts certain queries
into NXDOMAIN. One of these appears to be the DS query for a TLD that
is believed to be delegation only.
For currently released versions of BIND, you should choose
delegation-only for those domains not DNSSEC-signed, or you should chose
to not use DNSSEC.
In all of my test cases, having both DNSSEC and delegation-only
configured caused erratic behavior with .gov and total failure with .se.
Removing delegation-only and restarting the server caused all my tests
to once again succeed.
Note that with root-delegation-only enabled, even without DNSSEC and
even specifying "se" in an exclude list, certain queries fail, such as
the query for "a.ns.se. A"
# dig a.ns.se
; <<>> DiG 9.5.0 <<>> a.ns.se
;; global options: printcmd
;; connection timed out; no servers could be reached
Removing the root-delegation-only option from named.conf causes the
above dig to work correctly, including DNSSEC validation.
delegation-only can be specified in several ways. For more information,
please see https://www.isc.org/node/355, which discusses these options.
- --Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkoMZu8ACgkQLdqv0r6eD6b8pwCgkTb8jWDSrWp1J+cXk1ByBR4u
LKQAn1eJhcMPrVCE7tQfxEEHlNPc3XMw
=52RE
-----END PGP SIGNATURE-----
More information about the dns-operations
mailing list