Bug 1133713

Summary:	Outaded DLV (DNSSEC Lookaside Validation) configuration causes single point of failure
Product:	Red Hat Enterprise Linux 7	Reporter:	Jean-Francois Pirus <jfp>
Component:	bind	Assignee:	Tomáš Hozza <thozza>
Status:	CLOSED WONTFIX	QA Contact:	qe-baseos-daemons
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	7.0	CC:	mail
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-08-26 13:46:47 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jean-Francois Pirus 2014-08-25 23:36:08 UTC

Description of problem:
DLV (DNSSEC Lookaside Validation) causes single point of failure.
DLV is an early DNSSEC adoption protocol which is now mainly unnecessary as the root zones were signed in 2010.

It introduces a single point of failure as non-authoritative resolvers will time out if dlv.isc.org is not accessible.(Link to the internet is down or link to the US is down)
This is true even when internal resolving servers can access the authoritative servers for local domains.

Version-Release number of selected component (if applicable):
All, as it is in the default config file.

How reproducible:
When dlv.isc.org is not accessible.

Steps to Reproduce:
1. Disable access to dlv.isc.org.
2. non-authoritative resolvers will timeout.

Actual results:
non-authoritative resolvers fail to resolve everything.

Expected results:
non-authoritative resolvers resolve everything.


Additional info:

Comment 2 Tomáš Hozza 2014-08-26 13:46:47 UTC

(In reply to Jean-Francois Pirus from comment #0)
> Description of problem:
> DLV (DNSSEC Lookaside Validation) causes single point of failure.
> DLV is an early DNSSEC adoption protocol which is now mainly unnecessary as
> the root zones were signed in 2010.

DLV can still be used e.g. to authenticate some domain DNSKEY in case the parent zone is not signed. It provides an extra security, since it enables you to secure some domain using DNSSEC even if there is no chain of trust from the root.

> It introduces a single point of failure as non-authoritative resolvers will
> time out if dlv.isc.org is not accessible.(Link to the internet is down or
> link to the US is down)
> This is true even when internal resolving servers can access the
> authoritative servers for local domains.

Only queries for UNSECURE domain names will fail if only dlv.isc.org is unreachable.

How would you like to perform DNSSEC validation and build chain of trust if the internet is unreachable? 

> Version-Release number of selected component (if applicable):
> All, as it is in the default config file.
> 
> How reproducible:
> When dlv.isc.org is not accessible.
> 
> Steps to Reproduce:
> 1. Disable access to dlv.isc.org.
> 2. non-authoritative resolvers will timeout.
> 
> Actual results:
> non-authoritative resolvers fail to resolve everything.
> 
> Expected results:
> non-authoritative resolvers resolve everything.
> 
> 
> Additional info:

The shipped default configuration is intended for common use case. If your environment has some specific needs/issues, you should modify the configuration yourself to suite your needs.


While Red Hat welcomes bug reports on Red Hat products here in our
public bugzilla database, please keep in mind that bugzilla is not
a support tool or means of accessing support.  If you would like
technical support please visit our support portal at
access.redhat.com or call us for information on subscription
offerings to suit your needs.