Was it a "glitch" or someone just plain old forgot to do it?
At 02:29 AM 26/03/2020, Mark Andrews wrote:
It was a glitch with the re-signing of the zone. There should be a official
report sometime tomorrow. That said "dnssec-lookaside auto;" has been a no-op
in BIND since BIND 9.9.12, BIND 9.10.7, BIND 9.11.3 and a fatal configuration
error as of BIND 9.12.0. We didnât want the
DLV lookup traffic and provides no
benefit as the zone has been empty since 2017.
If you have dnssec-lookaside configured in
named.conf please remove it otherwise
the DLV code in the validator has to
cryptographically prove that DLV records donât
exist before returning that the response is
insecure. That requires talking to the
servers for dlv.isc.org. It does this every
hour for a active validating resolver
that is still running DNSSEC lookaside validation.
Mark
> On 26 Mar 2020, at 04:18, Drew Weaver <drew.wea...@thenap.com> wrote:
>
> Did anyone else on CentOS 6 just have some DNS resolvers totally fall over?
>
> I noticed that this command: dnssec-lookaside
auto; was causing the issue. The issue occurred right at about 1PM EST.
>
> I see this note in the ISC key file..
>
> # ISC DLV: See https://www.isc.org/solutions/dlv for details.
> #
> # NOTE: The ISC DLV zone is being phased out as of February 2017;
> # the key will remain in place but
the zone will be otherwise empty.
> # Configuring "dnssec-lookaside auto;" to activate this key is
> # harmless, but is no longer useful and is not recommended.
>
> Itâs not harmless anymore.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Clayton Zekelman
Managed Network Systems Inc. (MNSi)
3363 Tecumseh Rd. E
Windsor, Ontario
N8W 1H4
tel. 519-985-8410
fax. 519-985-8409