Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
dlv.isc.org problem
261 views
Skip to first unread message
Martin Gregorie
Aug 28, 2017, 6:11:55 AM8/28/17
to
This is probably a dumb question, but:
My Fedora 25 setup is complaining that there are:
Errors in configuration files
file named.conf
named.conf:29: WARNING: the DLV server at 'dlv.isc.org' is
expected to cease operation by the end of January 2017: 2 Time(s)
This is something I've been ignoring because I was expecting it to be
fixed in an update from RedHat. But, I've been seeing it for a month or
two now (certainly not from as early as January) and no fixes have
appeared. If you've seem these complaints, what have you done about it?
IOW is there a recognised workround and/or a replacement server URL that
I can drop into /etc/named.conf? Is it known to vanisg with an upgrade to
F26?
--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |
My Fedora 25 setup is complaining that there are:
Errors in configuration files
file named.conf
named.conf:29: WARNING: the DLV server at 'dlv.isc.org' is
expected to cease operation by the end of January 2017: 2 Time(s)
This is something I've been ignoring because I was expecting it to be
fixed in an update from RedHat. But, I've been seeing it for a month or
two now (certainly not from as early as January) and no fixes have
appeared. If you've seem these complaints, what have you done about it?
IOW is there a recognised workround and/or a replacement server URL that
I can drop into /etc/named.conf? Is it known to vanisg with an upgrade to
F26?
--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |
Martin Gregorie
Aug 28, 2017, 2:38:18 PM8/28/17
to
On Mon, 28 Aug 2017 13:05:12 +0100, Chronos wrote:
> On Mon, 28 Aug 2017 10:07:31 -0000 (UTC)
> Martin Gregorie <mar...@address-in-sig.invalid> wrote:
>
>> This is something I've been ignoring because I was expecting it to be
>> fixed in an update from RedHat.
>
> Nope, the ISC lookaside validation system is defunct. It was only ever
> intended to be a stop-gap measure until the root was signed anyway. You
> really need to set up managed_keys trust anchoring if you're going to be
> using DNSSEC.
>
> managed-keys {
>
> "." initial-key 257 3 8
>
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
>
> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
>
> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
>
> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
>
> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
>
> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
>
> QxA+Uk1ihz0=";
>
> };
>
> You have until the 11th September to get that into your named.conf as
> there is an imminent KSK rollover on the 11th October and managed_keys
> needs 30 days of signed prepublication for it to automatically roll over
> to the new KSK.
Thanks.
My named.conf contains the lines:
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
and /var/named/dynamic/managed-keys.bind contains that key in a KEYDATA
where it is tagged as
; next refresh: Tue, 29 Aug 2017 17:31:27 GMT
; trusted since: Mon, 17 Apr 2017 11:25:56 GMT
does this mean that I don't need to do anything apart from possibly
removing the "bind-keys-file" line, which points to a file containing the
key you've quoted?
This file also says:
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed
# from the root zone.
which rather makes it look as though dnf updates will clean it all up in
due course.
> On Mon, 28 Aug 2017 10:07:31 -0000 (UTC)
> Martin Gregorie <mar...@address-in-sig.invalid> wrote:
>
>> This is something I've been ignoring because I was expecting it to be
>> fixed in an update from RedHat.
>
> intended to be a stop-gap measure until the root was signed anyway. You
> really need to set up managed_keys trust anchoring if you're going to be
> using DNSSEC.
>
> managed-keys {
>
> "." initial-key 257 3 8
>
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
>
> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
>
> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
>
> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
>
> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
>
> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
>
> QxA+Uk1ihz0=";
>
> };
>
> You have until the 11th September to get that into your named.conf as
> there is an imminent KSK rollover on the 11th October and managed_keys
> needs 30 days of signed prepublication for it to automatically roll over
> to the new KSK.
Thanks.
My named.conf contains the lines:
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
and /var/named/dynamic/managed-keys.bind contains that key in a KEYDATA
where it is tagged as
; next refresh: Tue, 29 Aug 2017 17:31:27 GMT
; trusted since: Mon, 17 Apr 2017 11:25:56 GMT
does this mean that I don't need to do anything apart from possibly
removing the "bind-keys-file" line, which points to a file containing the
key you've quoted?
This file also says:
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed
# from the root zone.
which rather makes it look as though dnf updates will clean it all up in
due course.
0 new messages