dnssec validation issue
Carl Byington
carl at byington.org
Fri Jun 19 15:28:30 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 2015-06-19 at 05:58 +0000, Eray Aslan wrote:
> With the root zone and most TLDs signed, I do not think it makes sense
> to use DLV anymore. While a typical DNSSEC resolver configuration has
> DLV enabled, I personally make the effort to disable it.
I agree. My bind rpm packages now install the bind.keys file from the
isc tarball as /etc/named.bind.keys - rather than the older redhat
naming of /etc/named.iscdlv.key. That name was misleading anyway, since
the bind.keys file currently contains both the isc-dlv key, and the root
key.
My bind rpm packages have a default named.conf that now properly uses
"dnssec-validation auto;" to use the root key from that
/etc/named.bind.keys file. It contains a commented "// dnssec-lookaside
auto;", which if manually uncommented will use the dlv key from that
file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlWENPcACgkQL6j7milTFsHmqwCfZN9+YluH+0s4L+vSDINPE7Is
0RUAnRakAQIwmybOO8v8T35BZ/2tNJr0
=CmK2
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list