2017-10-02 - News - Tony Finch
In the bumper July news item there is a note about DNSSEC lookaside validation (DLV) being deprecated.
During the DNS OARC27
meeting
at the end of last week, DLV was decommissioned by emptying the
dlv.isc.org zone. The item on the agenda was titled "Deprecating
RFC5074" - there are no slides because the configuration change was
made live in front of the meeting.
If you have not done so already, you should remove any
dnssec-lookaside (BIND) or dlv-anchor (Unbound) from your server
configuration.
The effect is that the reverse DNS for our IPv6 range 2001:630:210::/44 and our JANET-specific IPv4 ranges 193.60.80.0/20 and 193.63.252.0/32 can no longer be validated.
Other Cambridge zones which cannot be validated are our RFC 1918
reverse DNS address space (because of the difficulty of distributing
trust anchors); private.cam.ac.uk; and most of our Managed
Zone Service zones. This may change because we would like to improve
our DNSSEC coverage.