Re: [nznog] DNSSEC single point of failure?

On Sun, 24 Aug 2014 09:12:26 Jay Daley wrote:

Is there any particular reason you are using DLV and not ordinary root DNSSEC?

I'm just using the default dnssec config for Bind 9.8 on RHEL 6, under the assumption that the defaults would be safe. Thanks.

On 24/08/2014, at 9:00 am, Jean-Francois Pirus wrote:

...

Unless I'm missing something, looks like my internal dns stopped working because there were issues with the link to the US.

All because dnssec is enabled in bind.

Namely queries from a resolver server would timeout looking up MYHOST.MYDOMAIN.com.dlv.isc.org before it got to querying my authoritative server.

It's been a while but I thought it was myhost.mydomain.dlv.isc.org (i.e. no .com)

...

Is there any way to work around that?

Don't use DLV?

Jay

...

Seems like a single point of failure, where resolvers will fail if there are any issues with com.dlv.isc.org.

Thanks.

-- Jean-Francois Pirus | Technical Manager francois(a)clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401 Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com