dnssec-lookaside auto key expiration

Mark Andrews marka at isc.org
Thu Mar 26 01:21:37 UTC 2020 


> On 26 Mar 2020, at 08:04, Havard Eidnes via bind-users <bind-users at lists.isc.org> wrote:
> 
>> This was an accident - we did *not* do this on purpose - but infact,
>> this is a good time for anyone who still has dlv.isc.org configured
>> to REMOVE it from your BIND configuration.
> 
> This advice may be misunderstood.  Use of dlv.isc.org is usually
> implied, not explicitly stated in named.conf, typically via
> 
>  dnssec-lookaside auto;
> 
> (or "yes").  This should (most probably) be changed to
> 
>  dnssec-lookaside no;
> 
> I don't have the cross-reference of what the default value has been
> for this option up through the history of BIND, so explicitly setting
> it to "no" is for now the safe thing to do.

DLV is off by default is all versions ISC shipped (from memory).  Various distributions
have enabled DLV in named.conf files they have shipped.  We have tried hard to
get DLV queries stopped but DNS has a long tail.  We try to only introduce breaking
changes in .0 releases which for DLV was 9.12.0.

BIND 9.9.10, 9.10.5 May 2016

4352.   [cleanup]       The ISC DNSSEC Lookaside Validation (DLV) service
                        is scheduled to be disabled in 2017.  A warning is
                        now logged when named is configured to use it,
                        either explicitly or via "dnssec-lookaside auto;"
                        [RT #42207]

Formal announcement of operations ceasing apart from a empty zone.

https://kb.isc.org/docs/iscs-dnssec-look-aside-validation-registry Sep 2017


BIND 9.9.12, 9.10.7, 9.11.3, 9.12.1, 9.13.0 had the following in them Feb 2018.

4889.   [func]          Warn about the use of old root keys without the new
                        root key being present.  Warn about dlv.isc.org's
                        key being present. Warn about both managed and
                        trusted root keys being present. [RT #43670]

BIND 9.9.12, 9.10.7, 9.11.3

4749.   [func]          The ISC DLV service has been shut down, and all
                        DLV records have been removed from dlv.isc.org.
                        - Removed references to ISC DLV in documentation
                        - Removed DLV key from bind.keys
                        - No longer use ISC DLV by default in delv
                        [RT #46155]

BIND 9.12.0

4749.   [func]          The ISC DLV service has been shut down, and all
                        DLV records have been removed from dlv.isc.org.
                        - Removed references to ISC DLV in documentation
                        - Removed DLV key from bind.keys
                        - No longer use ISC DLV by default in delv
                        - "dnssec-lookaside auto" and configuration of
                          "dnssec-lookaide" with dlv.isc.org as the trust
                          anchor are both now fatal errors.
                        [RT #46155]

BIND 9.15.3 (development) / 9.16.0

5276.   [func]          DNSSEC Lookaside Validation (DLV) is now obsolete;
                        all code enabling its use has been removed from the
                        validator, "delv", and the DNSSEC tools. [GL #7]

> Best regards,
> 
> - Håvard
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list