Hi folks, last night the ISC server responsible for responding to DLV lookups was apparently down. Since all lookups were failing due to a lack of response from this server, bind couldn't resolve anything at all. I had to comment out a couple lines in named.conf to restore function.
bind-9.4.3-P2 Here's the dnssec configuration lines used in named.conf: dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org.; trusted-keys { dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeN D4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf 8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF 1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh"; }; I'm not sure, but if a lookup fails dnssec auth, shouldn't bind treat the answer as insecure, and return said answer? In the scenario described above, I wasn't even able to get answers, let alone whether said answers could be authenticated. Bv9ARM.pdf is unclear regarding how bind should behave regarding use of dnssec-validation directive. Shouldn't the behaviour for DLV lookups be such that if the query can't be answered by the DLV server, then fall back to a non-dnssec lookup? Perhaps there's a configuration issue I'm using that caused this unexpected behaviour I describe? Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users