To: bind9-public@isc.org
content-type: text/plain; charset="utf-8"
Return-Path: <marka@isc.org>
Delivered-To: bind9-public@bugs.isc.org
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 882B2D78B0A for <bind9-public@bugs.isc.org>; Thu, 26 Oct 2017 22:47:03 +0000 (UTC)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 605553B0D5C for <bind9-public@isc.org>; Thu, 26 Oct 2017 22:46:39 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 40692160083 for <bind9-public@isc.org>; Thu, 26 Oct 2017 22:46:39 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 29653160086 for <bind9-public@isc.org>; Thu, 26 Oct 2017 22:46:39 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id CzVCExiyqsHS for <bind9-public@isc.org>; Thu, 26 Oct 2017 22:46:39 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id A03E2160083 for <bind9-public@isc.org>; Thu, 26 Oct 2017 22:46:38 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id C3E448D3B8CF for <bind9-public@isc.org>; Fri, 27 Oct 2017 09:46:39 +1100 (AEDT)
X-Original-To: bind9-public@bugs.isc.org
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD autolearn=unavailable autolearn_force=no version=3.4.1
From: "Mark Andrews" <marka@isc.org>
X-RT-Interface: Email
References: <RT-Ticket-46410@isc.org> <rt-4.4.1-82815-1509040718-1288.46410-3-0@isc.org>
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mx.pao1.isc.org
In-Reply-To: Your message of "Thu, 26 Oct 2017 17:58:38 -0000." <rt-4.4.1-82815-1509040718-1288.46410-3-0@isc.org>
From marka@isc.org  Thu Oct 26 22:47:03 2017
X-RT-Incoming-Encryption: Not encrypted
Date: Fri, 27 Oct 2017 09:46:39 +1100
Message-ID: <20171026224639.C3E448D3B8CF@rock.dv.isc.org>
X-RT-Original-Encoding: utf-8
Subject: Re: [ISC-Bugs #46410] should dlv.isc.org be a nonfatal warning?
RT-Message-ID: <rt-4.4.1-48207-1509058027-357.46410-0-0@isc.org>
Content-Length: 2846


In message <rt-4.4.1-82815-1509040718-1288.46410-3-0@isc.org>, "Evan Hunt via RT" writes:
> 
> I got an angry message from someone trying 9.12.0b1 who spent an hour trying
> to figure out why his server wouldn't start.  It turned out to be because
> configuring lookaside with dlv.isc.org is fatal now. There was some kind of
> syslog problem that prevented him from seeing the error message right away.
> 
> On the one hand, syslog problems aren't our responsibility, and he could have
> lost less time if he'd known to run "named -g".  Still, he's got a point:
> if you're experimenting with a new release, you're going to try it with your
> existing configuration, and it's unsettling if it fails, and makes you feel
> less inclined to upgrade.
>
> Do we *need* to break ISC DLV lookaside configurations?  If so, why?  If not,
> let's change it back to a warning.

9.12.0 is a .0 release.  This is the point where we break things if we
are going to break things.  9.{9,10,11}.x is (or should be) a warning.

They also didn't even run named-checkconf.

[rock:bin/tests/system] marka% named-checkconf /etc/named.cache.conf
/etc/named.cache.conf:56: dlv.isc.org has been shut down
[rock:bin/tests/system] marka% echo $?
1
[rock:bin/tests/system] marka% 

We provide the tools for people to test the configuration.

Or read the release notes that state it is a fatal configuration
error.

    <itemizedlist>
      <listitem>
        <para>
          The ISC DNSSEC Lookaside Validation (DLV) service has been shut
          down; all DLV records in the dlv.isc.org zone have been removed.
          References to the service have been removed from BIND documentation.
          Lookaside validation is no longer used by default by
          <command>delv</command>. The DLV key has been removed from
          <filename>bind.keys</filename>. Setting
          <command>dnssec-lookaside</command> to
          <command>auto</command> or to use dlv.isc.org as a trust
          anchor is now a fatal configuration error. [RT #46155]
        </para>
      </listitem>

Or CHANGES

4749.   [func]          The ISC DLV service has been shut down, and all
                        DLV records have been removed from dlv.isc.org.
                        - Removed references to ISC DLV in documentation
                        - Removed DLV key from bind.keys
                        - No longer use ISC DLV by default in delv
                        - "dnssec-lookaside auto" and configuration of
                          "dnssec-lookaide" with dlv.isc.org as trust
                          anchor are both now fatal errors.
                        [RT #46155]

This all said we could make it just a warning.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org