[Dnssec-deployment] DLV - it's not just for hostnames.

Michael Graff mgraff at isc.org
Tue Jun 14 11:55:57 EDT 2011

Hash: SHA1

On 6/14/11 10:47 AM, Michael Graff wrote:
> On 6/14/11 10:39 AM, David Conrad wrote:
>> This increases risk, latency, and adds more moving parts...

BTW, not to add more fuel for any fires, but this statement also
summarizes DNSSEC even when used "naturally."  I know DLV adds another
weight to this.

I suspect the reason most people have not jumped onto DNSSEC is not that
DLV exists, but rather DNSSEC has always been a solution looking for a
problem.  That it took years measured in the double digits to deploy
tells me that DLV is a small blip in the timeline, regardless of if it
is positive or negative.

I would really rather everyone spend their time encouraging TLDs and
registrars to sign and deploy and educate their staff and users, rather
than fighting against something like DLV.  I would really like the
answer to the question of "should I put my zone in DLV?" to be "No, all
registrars and zones are fully capable of accepting DNSSEC information
now, so don't use DLV."

Today that answer is, "If your registrar and TLD support DNSSEC all the
way from your zone to the root, then you do not need to use DLV, and ISC
recommends against using DLV.  If there is no trusted chain or your
registrar does not accept DNSSEC records, and you cannot switch to one
which does, DLV may be for you."

- --Michael
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Dnssec-deployment mailing list