dnssec-lookaside auto key expiration
Havard Eidnes
he at uninett.no
Wed Mar 25 21:04:06 UTC 2020
> This was an accident - we did *not* do this on purpose - but infact,
> this is a good time for anyone who still has dlv.isc.org configured
> to REMOVE it from your BIND configuration.
This advice may be misunderstood. Use of dlv.isc.org is usually
implied, not explicitly stated in named.conf, typically via
dnssec-lookaside auto;
(or "yes"). This should (most probably) be changed to
dnssec-lookaside no;
I don't have the cross-reference of what the default value has been
for this option up through the history of BIND, so explicitly setting
it to "no" is for now the safe thing to do.
Best regards,
- Håvard
More information about the bind-users
mailing list