Bug 1223365

Summary: Remove usage of DLV from the default configuration
Product: [Fedora] Fedora Reporter: Tomáš Hozza <thozza>
Component: bindAssignee: Tomáš Hozza <thozza>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: psimerda, redhat-bugzilla, thozza, vonsch
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1223336 Environment:
Last Closed: 2015-05-22 17:13:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1223360    

Description Tomáš Hozza 2015-05-20 12:10:54 UTC 
+++ This bug was initially created as a clone of Bug #1223336 +++

Description of problem:
As mentioned in Bug #1223325, ISC is planning to deprecate their DLV registry in the future. Currently, the default configuration shipped with BIND has DLV enabled.

The usage of DLV should be removed from the default configuration. 

Version-Release number of selected component (if applicable):
latest

How reproducible:
always

Steps to Reproduce:
1. inspect /etc/named.conf installed by bind package

Actual results:
There is "dnssec-lookaside auto;" line in the options section of the default configuration.

Expected results:
There is NO "dnssec-lookaside auto;" line in the options section of the default configuration.
Comment 1 Tomáš Hozza 2015-05-22 17:13:39 UTC 
removed in bind-9.10.2-3.fc23
Comment 2 Robert Scheck 2015-12-26 23:38:21 UTC 
Wouldn't it make sense to remove the 'bindkeys-file "/etc/named.iscdlv.key";'
line from the default configuration as well?
Comment 3 Tomáš Hozza 2016-01-04 12:37:25 UTC 
(In reply to Robert Scheck from comment #2)
> Wouldn't it make sense to remove the 'bindkeys-file "/etc/named.iscdlv.key";'
> line from the default configuration as well?

Technically it could be removed. However it should not do any harm when left in the configuration. The file is named "named.iscdlv.key", however it contains also the root key. The file is from the BIND sources (just renamed from bind.keys) and if not found, then the keys compiled into the source are used.

I just left it there, because when it is not specified, BIND looks for the file /etc/bind.keys. So when someone wants to use the DLV, the compiled in keys would be used (which should not be a real problem).

I think I could comment it out with and provide short comment.
Comment 4 Robert Scheck 2016-01-04 18:50:07 UTC 
(In reply to Tomas Hozza from comment #3)
> I think I could comment it out with and provide short comment.

That would be great. Btw, /etc/named.root.key contains the same key, so
there shouldn't be real need for /etc/named.iscdlv.key from my point of
view.
Comment 5 Tomáš Hozza 2016-01-05 09:58:27 UTC 
(In reply to Robert Scheck from comment #4)
> (In reply to Tomas Hozza from comment #3)
> > I think I could comment it out with and provide short comment.
> 
> That would be great. Btw, /etc/named.root.key contains the same key, so
> there shouldn't be real need for /etc/named.iscdlv.key from my point of
> view.

I'm aware of that. Thank you.
Comment 6 Tomáš Hozza 2016-01-06 14:12:30 UTC 
Commented out with short description:
http://pkgs.fedoraproject.org/cgit/rpms/bind.git/commit/?id=1a8262dde07fc595ad989bb63b23a59d4a353901