DNSSEC lookaside validation decommissioned

2017-10-02 - News - Tony Finch

In the bumper July news item there is a note about DNSSEC lookaside validation (DLV) being deprecated.

During the DNS OARC27 meeting at the end of last week, DLV was decommissioned by emptying the dlv.isc.org zone. The item on the agenda was titled "Deprecating RFC5074" - there are no slides because the configuration change was made live in front of the meeting.

If you have not done so already, you should remove any dnssec-lookaside (BIND) or dlv-anchor (Unbound) from your server configuration.

The effect is that the reverse DNS for our IPv6 range 2001:630:210::/44 and our JANET-specific IPv4 ranges 193.60.80.0/20 and 193.63.252.0/32 can no longer be validated.

Other Cambridge zones which cannot be validated are our RFC 1918 reverse DNS address space (because of the difficulty of distributing trust anchors); private.cam.ac.uk; and most of our Managed Zone Service zones. This may change because we would like to improve our DNSSEC coverage.