[Dnssec-deployment] DLV - it's not just for hostnames.

Michael Graff mgraff at isc.org
Tue Jun 14 11:55:57 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/14/11 10:47 AM, Michael Graff wrote:
> On 6/14/11 10:39 AM, David Conrad wrote:
>> This increases risk, latency, and adds more moving parts...

BTW, not to add more fuel for any fires, but this statement also
summarizes DNSSEC even when used "naturally."  I know DLV adds another
weight to this.

I suspect the reason most people have not jumped onto DNSSEC is not that
DLV exists, but rather DNSSEC has always been a solution looking for a
problem.  That it took years measured in the double digits to deploy
tells me that DLV is a small blip in the timeline, regardless of if it
is positive or negative.

I would really rather everyone spend their time encouraging TLDs and
registrars to sign and deploy and educate their staff and users, rather
than fighting against something like DLV.  I would really like the
answer to the question of "should I put my zone in DLV?" to be "No, all
registrars and zones are fully capable of accepting DNSSEC information
now, so don't use DLV."

Today that answer is, "If your registrar and TLD support DNSSEC all the
way from your zone to the root, then you do not need to use DLV, and ISC
recommends against using DLV.  If there is no trusted chain or your
registrar does not accept DNSSEC records, and you cannot switch to one
which does, DLV may be for you."

- --Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJN94SNAAoJEDRzoY2A7tzbMVgH/R4LqralXOA7IH0Psx8kngjO
Qg10ddvxZeGaksIANoeBgdmrP4qfIK52L/vmxHhzYrAH5AK/IExZBMrl8OPEXzT/
8t0IPZYOcn1Rx0t1HFEO7Dgoqg7V8gbFCltPDp/YyIlOvEP11tk5tt2zXPHPUDjx
Q82Ovl2v2A4rOOmDvuDhpygbLdX2QaDP17E4uxYbNaM/9b4Tc+bwiWn5s8NvPyoT
q1+PXAtbHHL3ZQYzwaN0Q6e76BukNbJpeIRGwb/nxYXlftViBHMy1k8FHpsFtmoT
oF5AhOhstQCYS/LqKjiz5Ys8wyJgEUU8HQUtw8wOC9vvtjwQU9unWqySvoZYDTE=
=bdPG
-----END PGP SIGNATURE-----


More information about the Dnssec-deployment mailing list