CST delegated, plus DNSSEC-related news

2017-07-18 - News - Tony Finch

From October, the Computer Laboratory will be known as the Department of Computer Science and Technology.

Our colleagues in the CL have set up the zone cst.cam.ac.uk to go with the new name, and it has been added to our sample nameserver configuration file.

The first root DNSSEC key rollover is happening

The new key (tag 20326) was published on 11th July, and validating resolvers that follow RFC 5011 rollover timing will automatically start trusting it on the 10th August. There's a lot more information about the root DNSSEC key rollover on the ISC.org blog. I have added some notes on how to find out about your server's rollover state on our DNSSEC validation page.

DNSSEC lookaside validation is deprecated

The DLV turndown was announced in 2015 and the dlv.isc.org zone is due to be emptied in 2017. You should delete any dnssec-lookaside option you have in your configuration to avoid complaints in named's logs.

Annoyingly, we were relying on DLV as a stop-gap while waiting for JISC to sign their reverse DNS zones. Some of our IPv4 address ranges and our main IPv6 allocation are assigned to us from JISC. Without DLV these zones can no longer be validated.