> My caching dns failed unexpectedly today, apparently I was not alone: > https://www.mail-archive.com/bind-users@lists.isc.org/msg28624.html > From ISC: "We apparently let our signatures on dlv.isc.org expire."
Ouch! > I fixed this temporarily by adding: > dnssec-accept-expired yes; > Which feels risky... Yes, I would not do that. > Another user on the ISC list suggested setting > dnssec-lookaside no; > Which also feels risky. No, that's not risky at all! Given the current messup, ref. above (I wasn't aware of the cause), this is exactly the right solution. I don't know what the default value for "dnssec-lookaside" is for the version of BIND you run, so setting it to "no" may be safest. This turns off the use of dlv.isc.org, which was used as a DNSSEC bootstrap mechanism before .com, .net, .org, and the root was DNSSEC- signed. ISC has argued that the purpose of dlv.isc.org is now made redundant, since all the aforementioned zones have long since been signed. Ref. https://www.isc.org/blogs/dlv/ > And generically ISC suggested all users remove the dlv.isc.org > zone from their configuration... ...and any *use* of the zone, which is implied by dnssec-lookaside configuration of either "auto" or "yes". Best regards, - HÃ¥vard