dnssec-lookaside auto key expiration

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

dnssec-lookaside auto key expiration

Drew Weaver

Hello,

 

I unfortunately got hit by the key expiration or whatever just happened about an hour ago that caused the “dnssec-lookaside auto” command to crush all of our DNS queries.

 

I realize that it wasn’t doing anything but we left the command in there because it had been in there and in the documentation it said it was harmless.

 

It wasn’t harmless.

 

Anyway, I can’t go back and time and make it harmless but are there any other timebombs coming up in the near future that people might not know about that they need to address?

 

Thanks,

-Drew

 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: dnssec-lookaside auto key expiration

Vicky Risk
Administrator
We apparently let our signatures on dlv.isc.org expire. We are fixing it now. We apologize for this.

This was an accident - we did *not* do this on purpose - but infact, this is a good time for anyone who still has dlv.isc.org configured to REMOVE it from your BIND configuration. The zone is empty, lookups to the zone do nothing beneficial, and as has just been demonstrated, when the zone is bogus, it can have a negative impact.

I expect we will have some message here or on Twitter when the issue is finally resolved, but I don’t want to interrupt the person who is currently working on fixing it. 

As we are removing other obsolete features, we are tracking them along with the newly added features on the BIND Significant Features Matrix. https://kb.isc.org/docs/aa-01310  The DLV was actually removed from 9.16 so as later versions are adopted, it will no longer even be possible to run named with the dlv configured. 

Vicky Risk


Victoria Risk
Product Manager
Internet Systems Consortium






_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Vicky Risk
Product Manager,
Internet Systems Consortium
Reply | Threaded
Open this post in threaded view
|

Re: dnssec-lookaside auto key expiration

Bind-Users forum mailing list
> This was an accident - we did *not* do this on purpose - but infact,
> this is a good time for anyone who still has dlv.isc.org configured
> to REMOVE it from your BIND configuration.

This advice may be misunderstood.  Use of dlv.isc.org is usually
implied, not explicitly stated in named.conf, typically via

  dnssec-lookaside auto;

(or "yes").  This should (most probably) be changed to

  dnssec-lookaside no;

I don't have the cross-reference of what the default value has been
for this option up through the history of BIND, so explicitly setting
it to "no" is for now the safe thing to do.

Best regards,

- Håvard
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: dnssec-lookaside auto key expiration

Mark Andrews


> On 26 Mar 2020, at 08:04, Havard Eidnes via bind-users <[hidden email]> wrote:
>
>> This was an accident - we did *not* do this on purpose - but infact,
>> this is a good time for anyone who still has dlv.isc.org configured
>> to REMOVE it from your BIND configuration.
>
> This advice may be misunderstood.  Use of dlv.isc.org is usually
> implied, not explicitly stated in named.conf, typically via
>
>  dnssec-lookaside auto;
>
> (or "yes").  This should (most probably) be changed to
>
>  dnssec-lookaside no;
>
> I don't have the cross-reference of what the default value has been
> for this option up through the history of BIND, so explicitly setting
> it to "no" is for now the safe thing to do.

DLV is off by default is all versions ISC shipped (from memory).  Various distributions
have enabled DLV in named.conf files they have shipped.  We have tried hard to
get DLV queries stopped but DNS has a long tail.  We try to only introduce breaking
changes in .0 releases which for DLV was 9.12.0.

BIND 9.9.10, 9.10.5 May 2016

4352.   [cleanup]       The ISC DNSSEC Lookaside Validation (DLV) service
                        is scheduled to be disabled in 2017.  A warning is
                        now logged when named is configured to use it,
                        either explicitly or via "dnssec-lookaside auto;"
                        [RT #42207]

Formal announcement of operations ceasing apart from a empty zone.

https://kb.isc.org/docs/iscs-dnssec-look-aside-validation-registry Sep 2017


BIND 9.9.12, 9.10.7, 9.11.3, 9.12.1, 9.13.0 had the following in them Feb 2018.

4889.   [func]          Warn about the use of old root keys without the new
                        root key being present.  Warn about dlv.isc.org's
                        key being present. Warn about both managed and
                        trusted root keys being present. [RT #43670]

BIND 9.9.12, 9.10.7, 9.11.3

4749.   [func]          The ISC DLV service has been shut down, and all
                        DLV records have been removed from dlv.isc.org.
                        - Removed references to ISC DLV in documentation
                        - Removed DLV key from bind.keys
                        - No longer use ISC DLV by default in delv
                        [RT #46155]

BIND 9.12.0

4749.   [func]          The ISC DLV service has been shut down, and all
                        DLV records have been removed from dlv.isc.org.
                        - Removed references to ISC DLV in documentation
                        - Removed DLV key from bind.keys
                        - No longer use ISC DLV by default in delv
                        - "dnssec-lookaside auto" and configuration of
                          "dnssec-lookaide" with dlv.isc.org as the trust
                          anchor are both now fatal errors.
                        [RT #46155]

BIND 9.15.3 (development) / 9.16.0

5276.   [func]          DNSSEC Lookaside Validation (DLV) is now obsolete;
                        all code enabling its use has been removed from the
                        validator, "delv", and the DNSSEC tools. [GL #7]

> Best regards,
>
> - Håvard
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users