Disable dnssec-lookaside (DLV) now - here's how
  • 26 Mar 2020
  • 3 Minutes To Read
  • Contributors
  • Print
  • Share
  • Dark
    Light

Disable dnssec-lookaside (DLV) now - here's how

  • Print
  • Share
  • Dark
    Light

ISC's DNSSEC Look-Aside Validation Registry was originally set up as a temporary tool to assist those adopting DNSSEC signed zones and validation.

There is a short article about its history here:
ISC's DNSSEC Look-Aside Validation Registry

Since 2017, ISC has continued to maintain the DNSSEC-signed zone dlv.isc.org as an empty zone to prevent problems for recursive server operators whose servers were still configured to use dnssec-lookaside despite ISC's efforts to publicize its decommissioning.

https://www.isc.org/blogs/dlv/

https://www.isc.org/blogs/dlv-replaced-with-signed-empty-zone/

DNSSEC-validating resolvers that still use dnssec-lookaside pointing to dlv.isc.org, are adding an unnessary processing step to their DNSSEC-validation; moreover, one that does nothing useful since the ISC DLV Registry has been serving an empty zone since 2017. If you have dnssec-lookaside configured in named.conf, a DNSSEC-validating resolver has to cryptographically prove that DLV records don’t exist when handling client queries for zones that are not DNSSEC-signed. Ordinarily (with the now empty zone), this will take place every hour.

Why are some BIND resolvers still using dnssec-lookaside?

In the early days of DNSSEC adoption, some Operating System Packagers distributed BIND with a default configuration and DNSSEC keys (trust anchors) that enabled this option by default. Some DNS operators who are running default configurations are not fully aware of which configuration options are thereby enabled/disabled and their functions.

Newer versions of BIND changed the defaults and also started emitting start-up warnings, but despite these efforts to highlight the problem, a significant number of DNS operators who have not kept their BIND servers updated, or who did not see, understand or heed the logged start-up warnings are still querying the zone dlv.isc.org.

Why not just shut down the zone dlv.isc.org entirely?

We tested what would happen if we did this - and the outcome was disastrous for DNSSEC-validating resolvers that tried to use dnssec-lookaside. We concluded that servers running BIND that were still configured to use the registry would start responding SERVFAIL for many client queries. We decided at the time, that 'breaking the Internet' for users of these DNS resolvers was unfair, and we anticipated that the use of dnssec-lookaside would diminish over time to a point where it would be safe to shut-down the service fully.

As well as introducing logged warnings and updates to the BIND documentation, we also amended BIND itself to eliminate dnssec-lookaside from production resolvers as their operators upgraded:

  • In BIND 9.9.12, BIND 9.10.7, BIND 9.11.3, released after we emptied the zone dlv.isc.org, we adjusted the code to ignore dnssec-lookaside auto; (although it was still possible to configure and use dnssec-lookaside explicitly).
  • From BIND 9.12.0 and newer, named fails to start if dnssec-lookaside auto; is included in named.conf, or if dnssec-lookaside yes; is used with dlv.isc.org as the trust anchor.
  • In BIND 9.16.0 dnssec-lookaside functionality is removed entirely.

How can I make sure that I have disabled dnssec-lookaside on my BIND DNS Resolvers?

Run a currently-supported version of BIND

Unless you are running BIND 9.11 (Extended Support Version) and have explicitly configured dnssec-lookaside yes; with dlv.isc.org as the trust anchor, (and assuming also that you have kept up-to-date with ISC BIND maintenance releases), your servers will not be using dnssec-lookaside with dlv.isc.org.

Are you DNSSEC-validating?

If your Resolver is not configured to perform DNSSEC-validation, then it will not be using dnssec-lookaside.

Servers that are performing DNSSEC-validation will fall into one of the following categories:

  1. DNSSEC has been manually enabled - you will see this configuration option (along with options for setting keys and trust anchors):

dnssec-validation yes;

  1. DNSSEC has been automatically configured - you will see this configuration option:

dnssec-validation auto;

  1. You are running a version of BIND that sets
    dnssec-validation yes; by default, and which has the root trust anchors explicitly defined in your configuration (look for references to managed-keys or trusted-keys in your configuration).

If your version of BIND is older than 9.11, then you can very simply ensure that you have disabled dnssec-lookaside by setting this option globally, and/or per view:

dnssec-lookaside no;

For BIND 9.11 and newer, look for all references to dnssec-lookaside in your configuration and remove them entirely. (You can also add dnssec-lookaside no; in BIND 9.11, but this will result in warnings being logged when named starts up).

Run a supported version of BIND

ISC recommends always running a currently supported version of BIND. Older versions of BIND will be vulnerable to bugs and security defects that have been addressed in newer versions. ISC's currently supported versions of BIND can be downloaded from isc.org/download.

ISC-packaged versions of BIND are also available:
ISC Packages for BIND9

This article may also be helpful to those planning an upgrade:
Which version of BIND do I want to download and install?