[Dnssec-deployment] DLV - it's not just for hostnames.

David Conrad drc at virtualized.org
Tue Jun 14 11:39:43 EDT 2011


On Jun 14, 2011, at 7:51 AM, Paul Vixie wrote:
> i do credit ISC and DLV with the fact that any of the signing and
> validation code was ever used in production before the root or COM
> zones were signed.  

If I were the folks in SE (BG, CZ, etc), I'd find this statement ... questionable.

> we will shut off DLV when it is no longer useful to the community.  

It was argued that IANA's ITAR was useful to the community (for suitably defined values of "useful" and "the community") when ICANN shut it off. It would've probably even been politically expedient to leave it running. Wiser heads prevailed. 

> as to how we will know that "nonuseful" has arrived, what's your proposal?

ISC refuses to accept if a chain to the root exists?

> and as for "less secure and operationally more fragile" i'd like to hear
> your reasoning.  DLV can't scale to the size of the internet but that's
> the only bad thing i can say about it.

DLV inserts ISC, their signing processes, and their infrastructure into the lookup chain.  This increases risk, latency, and adds more moving parts (regardless of how excellently ISC runs their infrastructure).

Regards,
-drc



More information about the Dnssec-deployment mailing list