On March 25th, some DNSSEC-Validation failed due to an expired signature from dlv.isc.org.
Ŝtatement ISC via Twitter:
a short tl;dr summary of what happened, see references below for more details
- dnssec-records from dlv.isc.org expired
- zone is invalid, if Domain Lookaside Validation (DLV) is activated bind9:
dnssec-lookaside auto; - bind-nameserver might fail with lookup
- DLV auto is default in older linux-distros (debian9, centos)
- version affected:
- 9.11.2 (and earlier)
-
version NOT affected:
- 9.11.3 and later (DLV-option not available)
-
1.5 Mio installations might be affected
- workaround (unchecked):
dnssec-validation yes;
dnssec-lookaside no;
- no problem on public nameservers (all OK):
dns_server = (
"1.0.0.1", # Cloudflare
"1.1.1.1", # Cloudflare
"8.8.4.4", # Google
"8.8.8.8", # Google
"80.80.80.80", # Freenom World
"80.80.81.81", # Freenom World
"91.239.100.100", # censurfridns.dk
"185.184.222.222", # public-dns-b.dns.sb
"185.222.222.222", # public-dns-a.dns.sb
)
-
will probably a problem for local/smaller ISPs
-
root-cause/Post by ISC: ISC's DNSSEC Look-Aside Validation Registry
- Statement ISC via Twitter
- 6h after Indicent resported, the problems has beeen fixed by ISC: "The problem has been fixed, and enough time has elapsed so that all our secondaries should have been updated by now. The root cause was a failed server update, with the result that we missed restoring the VM that was the primary for http://dlv.isc.org ."
Fragen? Kontakt: info@zero.bs