DLV or not
suresh at tislabs.com
Mon Sep 19 17:00:15 EDT 2005
Looking through the deployment list archives, the main arguments against
1. It would lower the incentive for TLDs and the root to sign
2. The DLV operator may not provide enough incentives for the child to
start using the main delegation tree once the parent is signed.
3. Once deployed it will be difficult to "back out" of DLV
4. It becomes a single point of failure; an error by the DLV operator
can impact more than one zone.
5. It depends to some degree on aggressive negative caching being
- unexpected behaviour arising from using something that the DNSSEC
specification does not directly provide for
- prevents immediate propagation of new names.
6. It makes troubleshooting of DNSSEC failures even harder
7. there may be reason to fall back to "no DLV" in some circumstances;
why not just make sure that the non-DLV case works correctly.
8. Manual configuration should be more than sufficient; the root and
TLDs will be signed long before the number of configured trust anchors
in end resolvers grows to a disproportionate number.
I really hope 1 does not prove to be true. A registry would hopefully
gain much more from DNSSEC (and a general commitment to security) than
any savings from not using DNSSEC, especially if child zones view this
as being important. Said differently, those zones that cite DLV as the
reason for not deploying may actually have a different problem of not
being able to see why DNSSEC itself is important.
2 and 3 can be overcome by a commitment by the DLV operator to
transition to the main tree when ever the parent delegation is
available. The choice for the child can simply be one of economics (if
your parent is signed it costs you more to subscribe to DLV). I don't
really see a problem with DLV existing indefinitely for those zones
whose parents simply refuse to sign.
4 is not unique to DLV; errors by *any* registry operator may be able to
impact multiple zones. Viewed in a positive sense, there may even be
opportunities to translate experiences with DLV into operational best
practices for registries.
5 is where where there are the most number of unknowns. I don't know how
ANC is going to impact the DNS and what new timing constraints are going
to be introduced. More experiments are probably needed but it should
hopefully not take too long to know if any show-stoppers exist in this area.
6 is a problem, but not insurmountable.
7 would not scale well and I don't think 8 applies either (I believe
some zones wll make the transition to DNSSEC very slowly).
All in all, I'm not
too uncomfortable with going ahead with DLV. But I'm pretty sure many
More information about the Dnssec-deployment