Commit d5bd8bb7 authored by Evan Hunt's avatar Evan Hunt

[v9_11] de-DLV

4749.	[func]		The ISC DLV service has been shut down, and all
			DLV records have been removed from dlv.isc.org.
			- Removed references to ISC DLV in documentation
			- Removed DLV key from bind.keys
			- No longer use ISC DLV by default in delv
			[RT #46155]
parent ad131733
4749. [func] The ISC DLV service has been shut down, and all
DLV records have been removed from dlv.isc.org.
- Removed references to ISC DLV in documentation
- Removed DLV key from bind.keys
- No longer use ISC DLV by default in delv
[RT #46155]
4748. [cleanup] Sprintf to snprintf coversions. [RT #46132]
4746. [cleanup] Add configured prefixes to configure summary
......
......@@ -574,7 +574,7 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
dns_fixedname_t fkeyname;
dns_name_t *keyname;
isc_result_t result;
isc_boolean_t match_root, match_dlv;
isc_boolean_t match_root = ISC_FALSE, match_dlv = ISC_FALSE;
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
CHECK(convert_name(&fkeyname, &keyname, keynamestr));
......@@ -582,8 +582,10 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
if (!root_validation && !dlv_validation)
return (ISC_R_SUCCESS);
match_root = dns_name_equal(keyname, anchor_name);
match_dlv = dns_name_equal(keyname, dlv_name);
if (anchor_name)
match_root = dns_name_equal(keyname, anchor_name);
if (dlv_name)
match_dlv = dns_name_equal(keyname, dlv_name);
if (!match_root && !match_dlv)
return (ISC_R_SUCCESS);
......@@ -713,14 +715,10 @@ setup_dnsseckeys(dns_client_t *client) {
fatal("out of memory");
}
if (dlv_anchor == NULL) {
dlv_anchor = isc_mem_strdup(mctx, "dlv.isc.org");
if (dlv_anchor == NULL)
fatal("out of memory");
}
CHECK(convert_name(&afn, &anchor_name, trust_anchor));
CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
if (trust_anchor != NULL)
CHECK(convert_name(&afn, &anchor_name, trust_anchor));
if (dlv_anchor != NULL)
CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
......
......@@ -99,8 +99,7 @@
</para>
<para>
By default, responses are validated using built-in DNSSEC trust
anchors for the root zone (".") and for the ISC DNSSEC lookaside
validation zone ("dlv.isc.org"). Records returned by
anchor for the root zone ("."). Records returned by
<command>delv</command> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
......@@ -202,14 +201,15 @@
Specifies a file from which to read DNSSEC trust anchors.
The default is <filename>/etc/bind.keys</filename>, which
is included with <acronym>BIND</acronym> 9 and contains
trust anchors for the root zone (".") and for the ISC
DNSSEC lookaside validation zone ("dlv.isc.org").
one or more trust anchors for the root zone (".").
</para>
<para>
Keys that do not match the root or DLV trust-anchor
names are ignored; these key names can be overridden
using the <option>+dlv=NAME</option> or
<option>+root=NAME</option> options.
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<option>+root=NAME</option> options. DNSSEC Lookaside
Validation can also be turned on by using the
<option>+dlv=NAME</option> to specify the name of a
zone containing DLV records.
</para>
<para>
Note: When reading the trust anchor file,
......@@ -639,11 +639,8 @@
<para>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The default is to perform lookaside validation using
a trust anchor of "dlv.isc.org", for which there is a
built-in key. If specifying a different name, then
<option>-a</option> must be used to specify a file
containing the DLV key.
The <option>-a</option> option must also be used to specify
a file containing the DLV key.
</para>
</listitem>
</varlistentry>
......
......@@ -122,9 +122,6 @@ options {\n\
trust-anchor-telemetry yes;\n\
# use-id-pool <obsolete>;\n\
# use-ixfr <obsolete>;\n\
\n\
/* DLV */\n\
dnssec-lookaside . trust-anchor dlv.isc.org;\n\
\n\
/* view */\n\
acache-cleaning-interval 60;\n\
......@@ -288,8 +285,8 @@ view \"_bind\" chaos {\n\
};\n\
"
"#\n\
# Default trusted key(s) for builtin DLV support\n\
# (used if \"dnssec-lookaside auto;\" is set and\n\
# Default trusted key(s), used if \n\
# \"dnssec-validation auto;\" is set and\n\
# sysconfdir/bind.keys doesn't exist).\n\
#\n\
# BEGIN MANAGED KEYS\n"
......
......@@ -881,8 +881,7 @@ keyloaded(dns_view_t *view, dns_name_t *name) {
static isc_result_t
configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
const cfg_obj_t *config, const cfg_obj_t *bindkeys,
isc_boolean_t auto_dlv, isc_boolean_t auto_root,
isc_mem_t *mctx)
isc_boolean_t auto_root, isc_mem_t *mctx)
{
isc_result_t result = ISC_R_SUCCESS;
const cfg_obj_t *view_keys = NULL;
......@@ -941,65 +940,6 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
return (ISC_R_UNEXPECTED);
}
if (auto_dlv && view->rdclass == dns_rdataclass_in) {
const cfg_obj_t *builtin_keys = NULL;
const cfg_obj_t *builtin_managed_keys = NULL;
/*
* If bind.keys exists and is populated, it overrides
* the managed-keys clause hard-coded in ns_g_config.
*/
if (bindkeys != NULL) {
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"obtaining DLV key for view %s "
"from '%s'",
view->name, ns_g_server->bindkeysfile);
(void)cfg_map_get(bindkeys, "trusted-keys",
&builtin_keys);
(void)cfg_map_get(bindkeys, "managed-keys",
&builtin_managed_keys);
if ((builtin_keys == NULL) &&
(builtin_managed_keys == NULL))
isc_log_write(ns_g_lctx,
DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER,
ISC_LOG_WARNING,
"dnssec-lookaside auto: "
"WARNING: key for dlv.isc.org "
"not found");
}
if ((builtin_keys == NULL) &&
(builtin_managed_keys == NULL))
{
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"using built-in DLV key for view %s",
view->name);
(void)cfg_map_get(ns_g_config, "trusted-keys",
&builtin_keys);
(void)cfg_map_get(ns_g_config, "managed-keys",
&builtin_managed_keys);
}
if (builtin_keys != NULL)
CHECK(load_view_keys(builtin_keys, vconfig, view,
ISC_FALSE, view->dlv, mctx));
if (builtin_managed_keys != NULL)
CHECK(load_view_keys(builtin_managed_keys, vconfig,
view, ISC_TRUE, view->dlv, mctx));
if (!keyloaded(view, view->dlv)) {
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"DLV key not loaded");
result = ISC_R_FAILURE;
goto cleanup;
}
}
if (auto_root && view->rdclass == dns_rdataclass_in) {
const cfg_obj_t *builtin_keys = NULL;
const cfg_obj_t *builtin_managed_keys = NULL;
......@@ -3294,7 +3234,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
const cfg_obj_t *disablelist = NULL;
isc_stats_t *resstats = NULL;
dns_stats_t *resquerystats = NULL;
isc_boolean_t auto_dlv = ISC_FALSE;
isc_boolean_t auto_root = ISC_FALSE;
ns_cache_t *nsc;
isc_boolean_t zero_no_soattl;
......@@ -4564,19 +4503,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
obj = NULL;
result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
if (result == ISC_R_SUCCESS) {
/* If set to "auto", use the version from the defaults */
/* "auto" is deprecated, log a warning if seen */
const char *dom;
dlvobj = cfg_listelt_value(cfg_list_first(obj));
dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
/* If "no", skip; if "auto", use global default */
if (!strcasecmp(dom, "no"))
/* If "no", skip; if "auto", log warning */
if (!strcasecmp(dom, "no")) {
result = ISC_R_NOTFOUND;
} else if (!strcasecmp(dom, "auto")) {
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
"WARNING: the DLV server at "
"'dlv.isc.org' is no longer "
"in service; dnssec-lookaside "
"ignored");
result = ISC_R_NOTFOUND;
else if (!strcasecmp(dom, "auto")) {
auto_dlv = ISC_TRUE;
obj = NULL;
result = cfg_map_get(ns_g_defaults,
"dnssec-lookaside", &obj);
}
}
}
......@@ -4586,6 +4527,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dns_fixedname_t f;
dns_fixedname_init(&f);
/* Also log a warning if manually configured to dlv.isc.org */
iscdlv = dns_fixedname_name(&f);
CHECK(dns_name_fromstring(iscdlv, "dlv.isc.org", 0, NULL));
......@@ -4599,27 +4541,27 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dlv = dns_fixedname_name(&view->dlv_fixed);
CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
DNS_NAME_DOWNCASE, NULL));
view->dlv = dns_fixedname_name(&view->dlv_fixed);
if (dns_name_equal(view->dlv, iscdlv)) {
if (auto_dlv)
obj = dlvobj;
if (dns_name_equal(dlv, iscdlv)) {
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
"WARNING: the DLV server at "
"'dlv.isc.org' is expected to "
"cease operation by the end "
"of January 2017");
"'dlv.isc.org' is no longer "
"in service; dnssec-lookaside "
"ignored");
view->dlv = NULL;
} else {
view->dlv = dlv;
}
}
} else
} else {
view->dlv = NULL;
}
/*
* For now, there is only one kind of trusted keys, the
* "security roots".
*/
CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
auto_dlv, auto_root, mctx));
auto_root, mctx));
dns_resolver_resetmustbesecure(view->resolver);
obj = NULL;
result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
......@@ -7215,8 +7157,7 @@ load_configuration(const char *filename, ns_server_t *server,
/*
* If bind.keys exists, load it. If "dnssec-validation auto"
* is turned on, the root key found there will be used as a
* default trust anchor, and if "dnssec-lookaside auto" is
* turned on, then the DLV key found there will too.
* default trust anchor.
*/
obj = NULL;
result = ns_config_get(maps, "bindkeys-file", &obj);
......
......@@ -87,9 +87,6 @@
<para>
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
For example, to check for DLV records for "example.com"
in ISC's DLV zone, use:
<command>dnssec-checkds -l dlv.isc.org example.com</command>
</para>
</listitem>
</varlistentry>
......
......@@ -24,7 +24,7 @@ view view2 {
view view3 {
match-clients { none; };
dnssec-lookaside auto;
dnssec-validation auto;
};
view view4 {
......
......@@ -80,7 +80,6 @@ view "first" {
type master;
file "yyy";
};
dnssec-lookaside auto;
dnssec-validation auto;
zone-statistics terse;
};
......@@ -111,7 +110,7 @@ view "second" {
1.2.3.4;
};
};
dnssec-lookaside "." trust-anchor "dlv.isc.org.";
dnssec-lookaside "." trust-anchor "example.org.";
dnssec-validation auto;
zone-statistics full;
};
......
......@@ -72,7 +72,7 @@ SAMPLEUPDATE=$TOP/lib/samples/sample-update
# v6synth
SUBDIRS="acl additional addzone allow_query autosign builtin
cacheclean case catz chain checkconf @CHECKDS@ checknames checkzone
cookie @COVERAGE@ database digdelv dlv dlvauto dlz dlzexternal
cookie @COVERAGE@ database digdelv dlv dlz dlzexternal
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa
ednscompliance emptyzones fetchlimit filter-aaaa formerr
forward geoip glue gost inline integrity ixfr @KEYMGR@
......
# Copyright (C) 2011, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
rm -f ns1/K*
rm -f ns1/*.signed
rm -f ns1/*.db
rm -f ns1/bind.keys
rm -f ns1/*.mkeys.jnl
rm -f ns1/*.mkeys
rm -f */named.run
rm -f */named.memstats
rm -f ns1/dsset-*.
rm -f ns2/*.mkeys
rm -f ns2/*.mkeys.jnl
rm -f dig.out.ns?.test*
rm -f ns2/named.secroots
rm -f ns*/named.lock
; Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: dlv.isc.org.db.in,v 1.2 2011/03/01 22:44:04 marka Exp $
$TTL 300
@ IN SOA a.root-servers.nil. hostmaster.isc.org. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
@ NS a.root-servers.nil.
/*
* Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.2 2011/03/01 22:44:04 marka Exp $ */
// NS1
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type master;
file "root.db";
};
zone "dlv.isc.org" {
type master;
file "dlv.isc.org.db.signed";
};
; Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: root.db.in,v 1.2 2011/03/01 22:44:04 marka Exp $
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
dlv.isc.org. NS a.root-servers.nil.
#!/bin/sh -e
#
# Copyright (C) 2011, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=dlv.isc.org
infile=dlv.isc.org.db.in
zonefile=dlv.isc.org.db
dlvkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $dlvkey.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
zone=.
infile=root.db.in
zonefile=root.db
rootkey=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $rootkey.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
# Create bind.keys file for the use of the resolving server
echo "managed-keys {" > bind.keys
cat $dlvkey.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
"$dn" initial-key $flags $proto $alg "$key";
EOF
' >> bind.keys
cat $rootkey.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
"$dn" initial-key $flags $proto $alg "$key";
EOF
' >> bind.keys
echo "};" >> bind.keys
/*
* Copyright (C) 2011, 2013, 2016 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.3 2011/03/03 16:16:47 each Exp $ */
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
notify no;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "../ns1/bind.keys";
dnssec-lookaside "auto";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
view "in" {
recursion yes;
zone "." {
type hint;
file "../../common/root.hint";
};
};
view "ch" ch {
match-clients { 127.0.0.1; };
};
view "unused" {
match-clients { none; };
};
#!/bin/sh
#
# Copyright (C) 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
exec $SHELL ../testcrypto.sh
#!/bin/sh -e
#
# Copyright (C) 2011, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
$SHELL clean.sh
test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
cd ns1 && $SHELL sign.sh
# Copyright (C) 2011, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
status=0
n=1
echo "I:checking that a warning was logged about the ISC DLV service ($n)"
ret=0
warnings=`grep "WARNING: the DLV server at 'dlv.isc.org'" ns2/named.run`
[ -z "$warnings" ] && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
#
# When this was initialy reported there was a REQUIRE failure on restarting.
#
n=`expr $n + 1`
echo "I:checking dnssec-lookaside "'"auto"'"; with views of multiple classes ($n)"
if [ -s ns2/named.pid ]
then
ret=0
$PERL $SYSTEMTESTTOP/stop.pl . ns2 || ret=1
sleep 1
(cd ns2; $NAMED -g -d 100 -X named.lock -c named.conf >> named.run 2>&1 & )
sleep 2
$DIG $DIGOPTS soa . @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
else
echo "I:failed"
status=1
fi
n=`expr $n + 1`
echo "I:checking that only the DLV key was imported from bind.keys ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 secroots 2>&1 | sed 's/^/I:ns2 /'
linecount=`grep "\./RSAMD5/.* ; managed" ns2/named.secroots | wc -l`
[ "$linecount" -eq 0 ] || ret=1
linecount=`grep "dlv.isc.org/RSAMD5/.* ; managed" ns2/named.secroots | wc -l`
[ "$linecount" -eq 2 ] || ret=1
linecount=`cat ns2/named.secroots | wc -l`
[ "$linecount" -eq 25 ] || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
# which are included as part of BIND 9. The only trust anchors it contains
# are for the DNS root zone ("."). Trust anchors for any other zones MUST
# be configured elsewhere; if they are configured here, they will not be
# recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
# To use the built-in key, use "dnssec-validation auto;" in the
# named.conf options. Without this option being set, the keys in this
# file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of Feburary 2017. If any key fails to
# These keys are current as of October 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
#
# See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information for the root zone.
managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
#
# NOTE: The ISC DLV zone is being phased out as of February 2017;