Hi all,
I've got two recursive DNS servers running on FreeBSD 7.0 each with BIND
9.4.2-P2. I got a call this morning that DNS lookups were broken. I found named
crashed on one server, and was still running on the other but not giving any
resposes. I had a third recursive server that was in a different location,
different OS and different config that was working fine. Furthermore, my
recursive client counts were over 10x what they should be reaching the defaul
limit of 1000. Long story short, I finally disabled dnssec and everything
started working again. This configuration has been untouched and working for a
couple of months now. No changes were made. My relavant configuration is very
simple for dnssec and is as follows:
trusted-keys {
dlv.isc.org. 257 3 5
"BEAAAAPp1USu3BecNerrrd78zxJIslqFaJ9csRkxd9LCMzvk9Z0wFzoF
kWAHMmMhWFpSLjPLX8UL6zDg85XE55hzqJKoKJndRqtncUwHkjh6zERN
uymtKZSCZvkg5mG6Q9YORkcfkQD2GIRxGwx9$
};
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.isc.org.;
Any ideas why this broke? It wasn't just dnssec validation that was broken. I
could not even resolve the A records for the root servers. My only thought is
my trusted-key is no longer valid. Looking at ISC's web site, I see a DLV KSK
Public key from 2008/09/21. This is different than the one I was using above. I
must have missed it in the instructions somewhere including on that page, but
is regular rotation of these keys part of maintenance? I know it is for signed
authoritative zones with dnssec, but it isn't clear for using
lookaside-validation with ISC. I'm guessing the answer is yes and I should be
subscribed to the [EMAIL PROTECTED] mailing list or wait for a better automated
mechanism for this to work.
-Vinny
