Re: dnssec-lookaside auto key expiration

[Mark Andrews]

> On 26 Mar 2020, at 08:04, Havard Eidnes via bind-users 
>  wrote:
> 
>> This was an accident - we did *not* do this on purpose - but infact,
>> this is a good time for anyone who still has dlv.isc.org configured
>> to REMOVE it from your BIND configuration.
> 
> This advice may be misunderstood.  Use of dlv.isc.org is usually
> implied, not explicitly stated in named.conf, typically via
> 
>  dnssec-lookaside auto;
> 
> (or "yes").  This should (most probably) be changed to
> 
>  dnssec-lookaside no;
> 
> I don't have the cross-reference of what the default value has been
> for this option up through the history of BIND, so explicitly setting
> it to "no" is for now the safe thing to do.

DLV is off by default is all versions ISC shipped (from memory).  Various 
distributions
have enabled DLV in named.conf files they have shipped.  We have tried hard to
get DLV queries stopped but DNS has a long tail.  We try to only introduce 
breaking
changes in .0 releases which for DLV was 9.12.0.

BIND 9.9.10, 9.10.5 May 2016

4352.   [cleanup]   The ISC DNSSEC Lookaside Validation (DLV) service
is scheduled to be disabled in 2017.  A warning is
now logged when named is configured to use it,
either explicitly or via "dnssec-lookaside auto;"
[RT #42207]

Formal announcement of operations ceasing apart from a empty zone.

https://kb.isc.org/docs/iscs-dnssec-look-aside-validation-registry Sep 2017


BIND 9.9.12, 9.10.7, 9.11.3, 9.12.1, 9.13.0 had the following in them Feb 2018.

4889.   [func]  Warn about the use of old root keys without the new
root key being present.  Warn about dlv.isc.org's
key being present. Warn about both managed and
trusted root keys being present. [RT #43670]

BIND 9.9.12, 9.10.7, 9.11.3

4749.   [func]  The ISC DLV service has been shut down, and all
DLV records have been removed from dlv.isc.org.
- Removed references to ISC DLV in documentation
- Removed DLV key from bind.keys
- No longer use ISC DLV by default in delv
[RT #46155]

BIND 9.12.0

4749.   [func]  The ISC DLV service has been shut down, and all
DLV records have been removed from dlv.isc.org.
- Removed references to ISC DLV in documentation
- Removed DLV key from bind.keys
- No longer use ISC DLV by default in delv
- "dnssec-lookaside auto" and configuration of
  "dnssec-lookaide" with dlv.isc.org as the trust
  anchor are both now fatal errors.
[RT #46155]

BIND 9.15.3 (development) / 9.16.0

5276.   [func]  DNSSEC Lookaside Validation (DLV) is now obsolete;
all code enabling its use has been removed from the
validator, "delv", and the DNSSEC tools. [GL #7]

> Best regards,
> 
> - Håvard
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-lookaside auto key expiration

[Havard Eidnes via bind-users]

> This was an accident - we did *not* do this on purpose - but infact,
> this is a good time for anyone who still has dlv.isc.org configured
> to REMOVE it from your BIND configuration.

This advice may be misunderstood.  Use of dlv.isc.org is usually
implied, not explicitly stated in named.conf, typically via

  dnssec-lookaside auto;

(or "yes").  This should (most probably) be changed to

  dnssec-lookaside no;

I don't have the cross-reference of what the default value has been
for this option up through the history of BIND, so explicitly setting
it to "no" is for now the safe thing to do.

Best regards,

- Håvard
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-lookaside auto key expiration

[Victoria Risk]

We apparently let our signatures on dlv.isc.org expire. We are fixing it now. 
We apologize for this.

This was an accident - we did *not* do this on purpose - but infact, this is a 
good time for anyone who still has dlv.isc.org configured to REMOVE it from 
your BIND configuration. The zone is empty, lookups to the zone do nothing 
beneficial, and as has just been demonstrated, when the zone is bogus, it can 
have a negative impact.

I expect we will have some message here or on Twitter when the issue is finally 
resolved, but I don’t want to interrupt the person who is currently working on 
fixing it. 

As we are removing other obsolete features, we are tracking them along with the 
newly added features on the BIND Significant Features Matrix. 
https://kb.isc.org/docs/aa-01310  The DLV was actually removed from 9.16 so as 
later versions are adopted, it will no longer even be possible to run named 
with the dlv configured. 

Vicky Risk


Victoria Risk
Product Manager
Internet Systems Consortium
vi...@isc.org





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec-lookaside auto key expiration

[Drew Weaver]

Hello,

I unfortunately got hit by the key expiration or whatever just happened about 
an hour ago that caused the "dnssec-lookaside auto" command to crush all of our 
DNS queries.

I realize that it wasn't doing anything but we left the command in there 
because it had been in there and in the documentation it said it was harmless.

It wasn't harmless.

Anyway, I can't go back and time and make it harmless but are there any other 
timebombs coming up in the near future that people might not know about that 
they need to address?

Thanks,
-Drew

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users