In message <15CEC87F00BB7B4CA0E904C5FCF056463C1617AC@EXCHANGEN J1.ds.tellurian.n
et>, Vinny Abello writes:
> Hi all,
>
> I've got two recursive DNS servers running on FreeBSD 7.0 each with BIND 9.4.
> 2-P2. I got a call this morning that DNS lookups were broken. I found named c
> rashed on one server, and was still running on the other but not giving any r
> esposes. I had a third recursive server that was in a different location, dif
> ferent OS and different config that was working fine. Furthermore, my recursi
> ve client counts were over 10x what they should be reaching the defaul limit
> of 1000. Long story short, I finally disabled dnssec and everything started w
> orking again. This configuration has been untouched and working for a couple
> of months now. No changes were made. My relavant configuration is very simple
> for dnssec and is as follows:
>
> trusted-keys {
> dlv.isc.org. 257 3 5 "BEAAAAPp1USu3BecNerrrd78zxJIslqFaJ9csRkxd9LCMzvk9Z 0
> wFzoF kWAHMmMhWFpSLjPLX8UL6zDg85XE55hzqJKoKJndRqtncUwHkj h6zERN uymtKZSCZvkg5m
> G6Q9YORkcfkQD2GIRxGwx9$
> };
>
> dnssec-enable yes;
> dnssec-validation yes;
>
> dnssec-lookaside . trust-anchor dlv.isc.org.;
>
>
> Any ideas why this broke? It wasn't just dnssec validation that was broken. I
> could not even resolve the A records for the root servers.


Which is to be expected when you have a out to date trust
anchor of a dlv registry. When you are using DLV you have
to prove that there isn't a DLV record which covers the
name or else you can be open to a downgrade attack.

> My only thought is my trusted-key is no longer valid. Looking at ISC's web
> site, I see a DLV KSK Public key from 2008/09/21. This is different than the
> one I was using above. I must have missed it in the instructions somewhere
> including on that page, but is regular rotation of these keys part of
> maintenance?


Yes.

> I know it is for signed authoritative zones with dnssec, but it isn't clear
> for using lookaside-validation with ISC.


dlv.isc.org is a signed zone. The keys get rolled the same as
any other zone.

> I'm guessing the answer is yes and I should be subscribed to the
> dlv-announce@isc.org mailing list or wait for a better automated mechanism
> for this to work.


Correct. You can also use

"dig dnskey dlv.isc.org @127.0.0.1 | grep 257"

daily from cron and when the answer changes go check the web site.
I do something like this for all my trust anchors.

% dig dnskey dlv.isc.org @127.0.0.1 | grep 257
dlv.isc.org. 7200 IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2F ZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56d hgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
%

Mark

> -Vinny

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org