> On 26 Mar 2020, at 08:04, Havard Eidnes via bind-users > <bind-users@lists.isc.org> wrote: > >> This was an accident - we did *not* do this on purpose - but infact, >> this is a good time for anyone who still has dlv.isc.org configured >> to REMOVE it from your BIND configuration. > > This advice may be misunderstood. Use of dlv.isc.org is usually > implied, not explicitly stated in named.conf, typically via > > dnssec-lookaside auto; > > (or "yes"). This should (most probably) be changed to > > dnssec-lookaside no; > > I don't have the cross-reference of what the default value has been > for this option up through the history of BIND, so explicitly setting > it to "no" is for now the safe thing to do.
DLV is off by default is all versions ISC shipped (from memory). Various distributions have enabled DLV in named.conf files they have shipped. We have tried hard to get DLV queries stopped but DNS has a long tail. We try to only introduce breaking changes in .0 releases which for DLV was 9.12.0. BIND 9.9.10, 9.10.5 May 2016 4352. [cleanup] The ISC DNSSEC Lookaside Validation (DLV) service is scheduled to be disabled in 2017. A warning is now logged when named is configured to use it, either explicitly or via "dnssec-lookaside auto;" [RT #42207] Formal announcement of operations ceasing apart from a empty zone. https://kb.isc.org/docs/iscs-dnssec-look-aside-validation-registry Sep 2017 BIND 9.9.12, 9.10.7, 9.11.3, 9.12.1, 9.13.0 had the following in them Feb 2018. 4889. [func] Warn about the use of old root keys without the new root key being present. Warn about dlv.isc.org's key being present. Warn about both managed and trusted root keys being present. [RT #43670] BIND 9.9.12, 9.10.7, 9.11.3 4749. [func] The ISC DLV service has been shut down, and all DLV records have been removed from dlv.isc.org. - Removed references to ISC DLV in documentation - Removed DLV key from bind.keys - No longer use ISC DLV by default in delv [RT #46155] BIND 9.12.0 4749. [func] The ISC DLV service has been shut down, and all DLV records have been removed from dlv.isc.org. - Removed references to ISC DLV in documentation - Removed DLV key from bind.keys - No longer use ISC DLV by default in delv - "dnssec-lookaside auto" and configuration of "dnssec-lookaide" with dlv.isc.org as the trust anchor are both now fatal errors. [RT #46155] BIND 9.15.3 (development) / 9.16.0 5276. [func] DNSSEC Lookaside Validation (DLV) is now obsolete; all code enabling its use has been removed from the validator, "delv", and the DNSSEC tools. [GL #7] > Best regards, > > - HÃ¥vard > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users