[dns-operations] Strange effect

Mark Andrews marka at isc.org
Mon Feb 27 03:40:17 UTC 2017


In message <180C3186-E824-4B67-98BD-F3DAFA6C1662 at hostmaster.ua>, Taras Heychenk
o writes:
> 
> > On Feb 23, 2017, at 20:37, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> > 
> > 
> >> On Feb 23, 2017, at 11:42 AM, Taras Heychenko <tasic at hostmaster.ua> wrote:
> >> 
> >> Thank you for explanation. Looks like that hostmaster of omnilance.com for
> got
> >> to remove record about the domain from DLV when make domain unsigned again
> .
> > 
> > Well, they shouldn't have to bother anymore.  The real problem is continued
> > use of DLV.  Best to remove the DLV trust-anchor keys from your resolver
> > configurations so that look-aside can't possibly work.

Why shouldn't they have to bother anymore?  They chose to register
their zone.  They can easily remove the zone.  It's 2 or 3 clicks
after they have logged in to remove a zone.

At the moment there are still DLV entries for zones where there
isn't a trusted path from the root to the zone itself.  DLV is still
performing the function it was designed to do.  Only around ~90%
of TLD's are signed and getting a signed delegation for PA addresses
is just about impossible.

While we are in the process of shutting DLV down (you can't register
new zones at the moment), that doesn't excuse one from doing normal
maintenance operations in the meantime.  Shutting down does not
mean shutdown.

> I begin my first letter from word "accidentally". Of course we remove this
> option from named.conf. But I know places where named.conf was not seen by
> admin for years. Because it just works and bind update does not force admin
> to review of named.conf (It is good IMHO :) ). So hostmaster of the domain
> should do all possible to make domain works for resolvers with a few old
> config also. JIMHO.

And once we have removed all the DLV records we will serve a empty
signed zone for these servers.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list