1133713 – Outaded DLV (DNSSEC Lookaside Validation) configuration causes single point of failure

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1133713 - Outaded DLV (DNSSEC Lookaside Validation) configuration causes single point of failure

Summary: Outaded DLV (DNSSEC Lookaside Validation) configuration causes single point o...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	bind
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tomáš Hozza
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-08-25 23:36 UTC by Jean-Francois Pirus
Modified:	2024-03-25 14:53 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-08-26 13:46:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jean-Francois Pirus 2014-08-25 23:36:08 UTC

Description of problem:
DLV (DNSSEC Lookaside Validation) causes single point of failure.
DLV is an early DNSSEC adoption protocol which is now mainly unnecessary as the root zones were signed in 2010.

It introduces a single point of failure as non-authoritative resolvers will time out if dlv.isc.org is not accessible.(Link to the internet is down or link to the US is down)
This is true even when internal resolving servers can access the authoritative servers for local domains.

Version-Release number of selected component (if applicable):
All, as it is in the default config file.

How reproducible:
When dlv.isc.org is not accessible.

Steps to Reproduce:
1. Disable access to dlv.isc.org.
2. non-authoritative resolvers will timeout.

Actual results:
non-authoritative resolvers fail to resolve everything.

Expected results:
non-authoritative resolvers resolve everything.


Additional info:

Comment 2 Tomáš Hozza 2014-08-26 13:46:47 UTC

(In reply to Jean-Francois Pirus from comment #0)
> Description of problem:
> DLV (DNSSEC Lookaside Validation) causes single point of failure.
> DLV is an early DNSSEC adoption protocol which is now mainly unnecessary as
> the root zones were signed in 2010.

DLV can still be used e.g. to authenticate some domain DNSKEY in case the parent zone is not signed. It provides an extra security, since it enables you to secure some domain using DNSSEC even if there is no chain of trust from the root.

> It introduces a single point of failure as non-authoritative resolvers will
> time out if dlv.isc.org is not accessible.(Link to the internet is down or
> link to the US is down)
> This is true even when internal resolving servers can access the
> authoritative servers for local domains.

Only queries for UNSECURE domain names will fail if only dlv.isc.org is unreachable.

How would you like to perform DNSSEC validation and build chain of trust if the internet is unreachable? 

> Version-Release number of selected component (if applicable):
> All, as it is in the default config file.
> 
> How reproducible:
> When dlv.isc.org is not accessible.
> 
> Steps to Reproduce:
> 1. Disable access to dlv.isc.org.
> 2. non-authoritative resolvers will timeout.
> 
> Actual results:
> non-authoritative resolvers fail to resolve everything.
> 
> Expected results:
> non-authoritative resolvers resolve everything.
> 
> 
> Additional info:

The shipped default configuration is intended for common use case. If your environment has some specific needs/issues, you should modify the configuration yourself to suite your needs.


While Red Hat welcomes bug reports on Red Hat products here in our
public bugzilla database, please keep in mind that bugzilla is not
a support tool or means of accessing support.  If you would like
technical support please visit our support portal at
access.redhat.com or call us for information on subscription
offerings to suit your needs.

Note You need to log in before you can comment on or make changes to this bug.