-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 2015-06-19 at 05:58 +0000, Eray Aslan wrote: > With the root zone and most TLDs signed, I do not think it makes sense > to use DLV anymore. While a typical DNSSEC resolver configuration has > DLV enabled, I personally make the effort to disable it.
I agree. My bind rpm packages now install the bind.keys file from the isc tarball as /etc/named.bind.keys - rather than the older redhat naming of /etc/named.iscdlv.key. That name was misleading anyway, since the bind.keys file currently contains both the isc-dlv key, and the root key. My bind rpm packages have a default named.conf that now properly uses "dnssec-validation auto;" to use the root key from that /etc/named.bind.keys file. It contains a commented "// dnssec-lookaside auto;", which if manually uncommented will use the dlv key from that file. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlWENPcACgkQL6j7milTFsHmqwCfZN9+YluH+0s4L+vSDINPE7Is 0RUAnRakAQIwmybOO8v8T35BZ/2tNJr0 =CmK2 -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
