On 26/08/14 2:06, Joe Abley wrote:
DLV was a transition mechanism that was arguably most useful before the root zone was signed. The root zone was signed in 2010.
FWIW, the original poster mentioned using RHEL 6. Which was first released in 2010: https://access.redhat.com/articles/3078 Presumably the default config file examples were first prepared at a point when DLV still looked like a useful idea (eg, before the root/as many TLDs were signed, when 2LD/3LD trust anchors were potentially helpful). AFAIK RHEL don't update the default config files in point releases, so I suspect it still has the GA config files by default. I'd definitely echo the sentiments of others that when deploying an older operating system (and RHEL 6 is coming up to 4 years old; RHEL 7 was released earlier this year) it is worth the time to double check that key software components important to you, especially those for an area like DNSSEC which has seen significant change over that time, are (a) still the best version for you to run and (b) have appropriate configuration. What was potentially a good idea in 2010 may not still be a good idea in 2014. Which is not really specific to RHEL 6, or even DNSSEC, so much as best practice when deploying older software. Definitely something to be aware of with RHEL 6 and DNSSEC though, as they were one of the first OS to ship with DNSSEC validation preconfigured. I doubt this will be the last time someone deploys RHEL 6 in 2014 or even 2015... Ewen