Hi Everyone, Just as an FYI to those not on the Bind Mailing list, there has also been some discussion on there (from the engineer who responded to the bug) regarding the DLV configuration. https://lists.isc.org/pipermail/bind-users/2014-August/093834.html Thanks, Fraser On 26/08/2014 11:40 a.m., Jean-Francois Pirus wrote:
FYI: A bug has been raised with RedHat.
"Outaded DLV (DNSSEC Lookaside Validation) configuration causes single point of failure" https://bugzilla.redhat.com/show_bug.cgi?id=1133713
On Tue, 26 Aug 2014 10:43:53 Jean-Francois Pirus wrote:
On the slightly worse news department, DLV lookup is still the default for RHEL7/Centos7 with bind-9.9.4.
So this will be an issue for future deployments too.
From the named.conf: dnssec-lookaside auto; and // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
On Tue, 26 Aug 2014 07:37:52 Ewen McNeill wrote:
On 26/08/14 2:06, Joe Abley wrote:
DLV was a transition mechanism that was arguably most useful before the root zone was signed. The root zone was signed in 2010. FWIW, the original poster mentioned using RHEL 6. Which was first released in 2010:
https://access.redhat.com/articles/3078
Presumably the default config file examples were first prepared at a point when DLV still looked like a useful idea (eg, before the root/as many TLDs were signed, when 2LD/3LD trust anchors were potentially helpful). AFAIK RHEL don't update the default config files in point releases, so I suspect it still has the GA config files by default.
I'd definitely echo the sentiments of others that when deploying an older operating system (and RHEL 6 is coming up to 4 years old; RHEL 7 was released earlier this year) it is worth the time to double check that key software components important to you, especially those for an area like DNSSEC which has seen significant change over that time, are (a) still the best version for you to run and (b) have appropriate configuration. What was potentially a good idea in 2010 may not still be a good idea in 2014.
Which is not really specific to RHEL 6, or even DNSSEC, so much as best practice when deploying older software. Definitely something to be aware of with RHEL 6 and DNSSEC though, as they were one of the first OS to ship with DNSSEC validation preconfigured. I doubt this will be the last time someone deploys RHEL 6 in 2014 or even 2015...
Ewen _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog