DNSSEC Fail due to DLV and expired signature for dlv.isc.org

On March 25th, some DNSSEC-Validation failed due to an expired signature from dlv.isc.org.

Ňútatement ISC via Twitter:

isc-2

a short tl;dr summary of what happened, see references below for more details

  • dnssec-records from dlv.isc.org expired
  • zone is invalid, if Domain Lookaside Validation (DLV) is activated bind9: dnssec-lookaside auto;
  • bind-nameserver might fail with lookup
  • DLV auto is default in older linux-distros (debian9, centos)
  • version affected:
    • 9.11.2 (and earlier)
  • version NOT affected:

    • 9.11.3 and later (DLV-option not available)
  • 1.5 Mio installations might be affected

binaryedge

  • workaround (unchecked):
        dnssec-validation yes;
        dnssec-lookaside no;
  • no problem on public nameservers (all OK):
dns_server = (
    "1.0.0.1",         #  Cloudflare
    "1.1.1.1",         #  Cloudflare
    "8.8.4.4",         #  Google
    "8.8.8.8",         #  Google
    "80.80.80.80",     #  Freenom World
    "80.80.81.81",     #  Freenom World
    "91.239.100.100",  #  censurfridns.dk
    "185.184.222.222", #  public-dns-b.dns.sb
    "185.222.222.222", #  public-dns-a.dns.sb
  )

isc-2

isc-2





Fragen? Kontakt: info@zero.bs