Re: [nznog] DNSSEC single point of failure?

On 24/08/14 9:23 am, Jean-Francois Pirus wrote:

On Sun, 24 Aug 2014 09:12:26 Jay Daley wrote:

...

Is there any particular reason you are using DLV and not ordinary root DNSSEC?

I'm just using the default dnssec config for Bind 9.8 on RHEL 6, under the assumption that the defaults would be safe.

That's interesting to see. Your configuration has a SPoF because requires access to the DLV @ isc.org. But if you use the root trust anchor, you can benefit from the multiple copies of the root zone around the world (including 3 in NZ if my memory serves me well). Sounds like a good point to raise to the BIND configuration maintainer at RedHat, because unless you have specific requirements, it's better not to use DLV. Cheers,

Thanks.

...

On 24/08/2014, at 9:00 am, Jean-Francois Pirus wrote:

...

Unless I'm missing something, looks like my internal dns stopped working because there were issues with the link to the US.

All because dnssec is enabled in bind.

Namely queries from a resolver server would timeout looking up MYHOST.MYDOMAIN.com.dlv.isc.org before it got to querying my authoritative server.

It's been a while but I thought it was myhost.mydomain.dlv.isc.org (i.e. no .com)

...

Is there any way to work around that?

Don't use DLV?

Jay

...

Seems like a single point of failure, where resolvers will fail if there are any issues with com.dlv.isc.org.

Thanks.

-- Sebastian Castro Technical Research Manager .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535