> -----Original Message-----
> From: Mark_Andrews@isc.org [mailto:Mark_Andrews@isc.org]
> Sent: Thursday, October 23, 2008 10:07 AM
> To: Vinny Abello
> Cc: bind-users@isc.org
> Subject: Re: dnssec lookaside to dlv.isc.org broke recursion
>
>
> In message
> <15CEC87F00BB7B4CA0E904C5FCF056463C1617AC@EXCHANGEN J1.ds.tellurian.n
> et>, Vinny Abello writes:
> > Hi all,
> >
> > I've got two recursive DNS servers running on FreeBSD 7.0 each with

> BIND 9.4.
> > 2-P2. I got a call this morning that DNS lookups were broken. I found

> named c
> > rashed on one server, and was still running on the other but not

> giving any r
> > esposes. I had a third recursive server that was in a different

> location, dif
> > ferent OS and different config that was working fine. Furthermore, my

> recursi
> > ve client counts were over 10x what they should be reaching the

> defaul limit
> > of 1000. Long story short, I finally disabled dnssec and everything

> started w
> > orking again. This configuration has been untouched and working for a

> couple
> > of months now. No changes were made. My relavant configuration is

> very simple
> > for dnssec and is as follows:
> >
> > trusted-keys {
> > dlv.isc.org. 257 3 5

> "BEAAAAPp1USu3BecNerrrd78zxJIslqFaJ9csRkxd9LCMzvk9Z 0
> > wFzoF kWAHMmMhWFpSLjPLX8UL6zDg85XE55hzqJKoKJndRqtncUwHkj h6zERN

> uymtKZSCZvkg5m
> > G6Q9YORkcfkQD2GIRxGwx9$
> > };
> >
> > dnssec-enable yes;
> > dnssec-validation yes;
> >
> > dnssec-lookaside . trust-anchor dlv.isc.org.;
> >
> >
> > Any ideas why this broke? It wasn't just dnssec validation that was

> broken. I
> > could not even resolve the A records for the root servers.

>
> Which is to be expected when you have a out to date trust
> anchor of a dlv registry. When you are using DLV you have
> to prove that there isn't a DLV record which covers the
> name or else you can be open to a downgrade attack.


OK, thanks for the confirmation on that, Mark.

>
> > My only thought is my trusted-key is no longer valid. Looking at

> ISC's web
> > site, I see a DLV KSK Public key from 2008/09/21. This is different

> than the
> > one I was using above. I must have missed it in the instructions

> somewhere
> > including on that page, but is regular rotation of these keys part of
> > maintenance?

>
> Yes.


Can you point me to the warning to operators in the instructions for setting this up? I can't seem to locate that. I'm viewing the following instructions:

https://secure.isc.org/index.pl?/ops/dlv/

Maybe I'm naive, but I don't think it should be assumed someone following a guide to set this up for their recursive DNS server is versed enough in the internal workings of dnssec to realize they will cause an outage without regular updates of the key. I've also seen several presentations on how to set this up which were similar. I must have also missed that part of the regular maintenance of the recursive server.

>
> > I know it is for signed authoritative zones with dnssec, but it isn't

> clear
> > for using lookaside-validation with ISC.

>
> dlv.isc.org is a signed zone. The keys get rolled the same as
> any other zone.


Makes sense now.

>
> > I'm guessing the answer is yes and I should be subscribed to the
> > dlv-announce@isc.org mailing list or wait for a better automated

> mechanism
> > for this to work.

>
> Correct. You can also use
>
> "dig dnskey dlv.isc.org @127.0.0.1 | grep 257"
>
> daily from cron and when the answer changes go check the web
> site.
> I do something like this for all my trust anchors.
>
> % dig dnskey dlv.isc.org @127.0.0.1 | grep 257
> dlv.isc.org. 7200 IN DNSKEY 257 3 5
> BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2F ZLK8t+
> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56d hgMde5
> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
> %


Is there a best practice for getting this info into BIND in an automated fashion? I'm sure I could think of a way and script it, but why reinvent the wheel? If this is manual maintenance that has to be monitored and updated or else everything breaks, I can see some of the hesitation in using dnssec. That was my reservation in signing my own zones but the same issue exists here just to validate them.

Will this always be the case even when the root becomes signed or is this just due to using the lookaside validation with DLV?

Thanks for your response and time, Mark.

-Vinny