Re: ISC DLV dnssec

Sun, 05 Apr 2009 18:24:22 -0700 

In message <e754e90904051805i6ac1dda6k57f78be2cf00a...@mail.gmail.com>, R Dicai
re writes:
> On Sun, Apr 5, 2009 at 8:48 PM, Mark Andrews <mark_andr...@isc.org> wrote:
> >        Named is still able to return answers if you tell it not to
> >        validate the answers by setting CD=1 in the query.  This flag
> >        is usually used when you have a validating resolver using another
> >        validating resolver to get its answers.
> >
> >        When the lookups were failing answers like this were returned.
> 
> The one thing I didn't do was a direct dig itself. I was tailing
> dnssec.log and watching the DLV lookups failing, and my web browser
> was failing to load any site, reporting the hostname couldn't be
> resolved.
> 
> Above, you mention setting CD=1 in the query. How is this done by
> applications trying to resolve hostnames
> when there's a problem like last nights?

        Only DNSSEC aware validating applications should do this.

> Would setting the named.conf
> directive dnssec-validation no;
> do this? (as I mentioned previously, I had to comment out
> dnssec-validation and the trust anchor directive that points to ISC so
> I could resolve queries)

        Which is a reasonable response.

        DNSSEC is a bit like digital TV it's all or nothing.  Zones
        will work or not if there are operator errors.  DLV is just
        a very critical zone in that it works out which zone are
        secure or not so it is involved in every lookup which is
        not part of a seperately configured island of trust. 

        When the root is signed and you have a trust anchor for the
        root configured DLV will be used to bridge the gaps in the
        delegation chains.  Lookups in secure zones for which there
        is a theoretical secure path won't use DLV.
 
        Mark

> -- =
> 
> aRDy Music and Rick Dicaire present:
> http://www.ardynet.com
> http://www.ardynet.com:9000/ardymusic.ogg.m3u
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: mark_andr...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to