On 24/08/14 9:23 am, Jean-Francois Pirus wrote:
On Sun, 24 Aug 2014 09:12:26 Jay Daley wrote:
Is there any particular reason you are using DLV
and not ordinary root DNSSEC?
I'm just using the default dnssec config for Bind 9.8 on RHEL 6, under the assumption
that the defaults would be safe.
That's interesting to see. Your configuration has a SPoF because
requires access to the DLV @ isc.org
. But if you use the root trust
anchor, you can benefit from the multiple copies of the root zone around
the world (including 3 in NZ if my memory serves me well).
Sounds like a good point to raise to the BIND configuration maintainer
at RedHat, because unless you have specific requirements, it's better
not to use DLV.
On 24/08/2014, at 9:00 am, Jean-Francois Pirus <jfp(a)clearfield.com> wrote:
Unless I'm missing something, looks like my internal dns stopped working because
there were issues with the link to the US.
All because dnssec is enabled in bind.
Namely queries from a resolver server would timeout looking up
before it got to querying my authoritative server.
It's been a while but I thought it was myhost.mydomain.dlv.isc.org
(i.e. no .com)
Is there any way to work around that?
Don't use DLV?
Seems like a single point of failure, where resolvers will fail if there are any issues
Technical Research Manager
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535