Bug 1133713 - Outaded DLV (DNSSEC Lookaside Validation) configuration causes single point of failure
Summary: Outaded DLV (DNSSEC Lookaside Validation) configuration causes single point o...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bind
Version: 7.0
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Tomáš Hozza
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-25 23:36 UTC by Jean-Francois Pirus
Modified: 2020-11-06 10:03 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-26 13:46:47 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Jean-Francois Pirus 2014-08-25 23:36:08 UTC
Description of problem:
DLV (DNSSEC Lookaside Validation) causes single point of failure.
DLV is an early DNSSEC adoption protocol which is now mainly unnecessary as the root zones were signed in 2010.

It introduces a single point of failure as non-authoritative resolvers will time out if dlv.isc.org is not accessible.(Link to the internet is down or link to the US is down)
This is true even when internal resolving servers can access the authoritative servers for local domains.

Version-Release number of selected component (if applicable):
All, as it is in the default config file.

How reproducible:
When dlv.isc.org is not accessible.

Steps to Reproduce:
1. Disable access to dlv.isc.org.
2. non-authoritative resolvers will timeout.

Actual results:
non-authoritative resolvers fail to resolve everything.

Expected results:
non-authoritative resolvers resolve everything.


Additional info:

Comment 2 Tomáš Hozza 2014-08-26 13:46:47 UTC
(In reply to Jean-Francois Pirus from comment #0)
> Description of problem:
> DLV (DNSSEC Lookaside Validation) causes single point of failure.
> DLV is an early DNSSEC adoption protocol which is now mainly unnecessary as
> the root zones were signed in 2010.

DLV can still be used e.g. to authenticate some domain DNSKEY in case the parent zone is not signed. It provides an extra security, since it enables you to secure some domain using DNSSEC even if there is no chain of trust from the root.

> It introduces a single point of failure as non-authoritative resolvers will
> time out if dlv.isc.org is not accessible.(Link to the internet is down or
> link to the US is down)
> This is true even when internal resolving servers can access the
> authoritative servers for local domains.

Only queries for UNSECURE domain names will fail if only dlv.isc.org is unreachable.

How would you like to perform DNSSEC validation and build chain of trust if the internet is unreachable? 

> Version-Release number of selected component (if applicable):
> All, as it is in the default config file.
> 
> How reproducible:
> When dlv.isc.org is not accessible.
> 
> Steps to Reproduce:
> 1. Disable access to dlv.isc.org.
> 2. non-authoritative resolvers will timeout.
> 
> Actual results:
> non-authoritative resolvers fail to resolve everything.
> 
> Expected results:
> non-authoritative resolvers resolve everything.
> 
> 
> Additional info:

The shipped default configuration is intended for common use case. If your environment has some specific needs/issues, you should modify the configuration yourself to suite your needs.


While Red Hat welcomes bug reports on Red Hat products here in our
public bugzilla database, please keep in mind that bugzilla is not
a support tool or means of accessing support.  If you would like
technical support please visit our support portal at
access.redhat.com or call us for information on subscription
offerings to suit your needs.


Note You need to log in before you can comment on or make changes to this bug.