A brief blip in the DNS

At around 5pm on Wednesday 25th March we received a few reports that some sites on Janet were having issues with DNS resolution.

This was caused by the site’s own resolver still performing DNSSEC Lookaside Validation (DLV), and a failure by the operators of the DLV zone that broke the DNSSEC signing of that zone.

In summary, if you’re using BIND as a DNS resolver, and you have ‘dnssec-lookaside auto‘ or ‘dnssec-lookaside yes‘ in your named.conf file, remove that line. It refers to an obsolete feature that is not required in any circumstances, and can — as was shown yesterday — break.

As a reminder, there was a time before the root zone of the DNS was signed with DNSSEC, but when zones lower down in the hierarchy were signed (or there were other holes between the root and a signed zone). To create a chain of trust, operators of a signed zone could place the Delegation Signer (DS) record in the DLV (as a DLV record), operated by ISC, and DNS resolvers could be configured to look in parallel to the main DNS hierarchy (look-aside) to check the signatures were correct.

As deployment of DNSSEC grew, the need for this became less, and eventually the DLV was replaced with a signed empty zone about two and a half years ago.

No default BIND configurations distributed by ISC ever had DLV enabled, but some operating system vendors had enabled it in their own configurations, and these may have been left in place following upgrades.

If it is enabled, the BIND configuration file named.conf will have the following line:

        dnssec-lookaside auto;


        dnssec-lookaside yes;

Delete that line!

Deleting it will not break anything now. Not deleting will break something later as ISC would like to remove even the empty signed zone.

Leave a Reply

Your email address will not be published.