Just as an FYI to those not on the Bind Mailing list, there has also
been some discussion on there (from the engineer who responded to the
bug) regarding the DLV configuration.
FYI: A bug has been raised with RedHat.
"Outaded DLV (DNSSEC Lookaside Validation) configuration causes single point of
On Tue, 26 Aug 2014 10:43:53 Jean-Francois Pirus wrote:
> On the slightly worse news department, DLV lookup is still the default for
RHEL7/Centos7 with bind-9.9.4.
> So this will be an issue for future deployments too.
> From the named.conf:
> dnssec-lookaside auto;
> // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
> On Tue, 26 Aug 2014 07:37:52 Ewen McNeill wrote:
>> On 26/08/14 2:06, Joe Abley wrote:
>>> DLV was a transition mechanism that was arguably most useful before the root
zone was signed.
>>> The root zone was signed in 2010.
>> FWIW, the original poster mentioned using RHEL 6. Which was first
>> released in 2010:
>> Presumably the default config file examples were first prepared at a
>> point when DLV still looked like a useful idea (eg, before the root/as
>> many TLDs were signed, when 2LD/3LD trust anchors were potentially
>> helpful). AFAIK RHEL don't update the default config files in point
>> releases, so I suspect it still has the GA config files by default.
>> I'd definitely echo the sentiments of others that when deploying an
>> older operating system (and RHEL 6 is coming up to 4 years old; RHEL 7
>> was released earlier this year) it is worth the time to double check
>> that key software components important to you, especially those for an
>> area like DNSSEC which has seen significant change over that time, are
>> (a) still the best version for you to run and (b) have appropriate
>> configuration. What was potentially a good idea in 2010 may not still
>> be a good idea in 2014.
>> Which is not really specific to RHEL 6, or even DNSSEC, so much as best
>> practice when deploying older software. Definitely something to be
>> aware of with RHEL 6 and DNSSEC though, as they were one of the first OS
>> to ship with DNSSEC validation preconfigured. I doubt this will be the
>> last time someone deploys RHEL 6 in 2014 or even 2015...
>> NZNOG mailing list