[Dnssec-deployment] Size of dlv.isc.org [was: Re:DLV and in-addr.arpa]

Michael Graff mgraff at isc.org
Tue Jun 14 17:06:33 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/14/11 3:32 PM, Paul Wouters wrote:
> On Tue, 14 Jun 2011, Michael Graff wrote:
> 
>> The same in graphical form:
>>
>> https://dlv.isc.org/system/dnskey_history.png
> 
> wow. 20% of DNSSEC domain in DLV are broken? That's a very sad statistic.
> 
> Are those brokem ones suspended from DLV? Or are they just left broken?

They are emailed frequently, but if after some time they are removed.  I
believe the timer is 14 days.

Most of the failures are related to not falling back to TCP, or people
enter keys into DLV then remove them.  The expired ones show the sad
state of the world -- even with normal DNSSEC, expired signatures will
cause outages.

As with the difference between AFS (which I loved) and NFS (which I
used), the failure modes between "plain DNS" and DNSSEC are drastic and
unknowns.

- --Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJN981ZAAoJEDRzoY2A7tzb0EsH/1pMt/MesUch1KIXnAm8G8kY
GdYOrNhASQmn7paYvMFZI+AtJjN3hRCdeWvrA67ovdX86ASJ7TFzuEor+tHCwcjX
7uMUFUZfdBEZlsRozLfdMeseMSl54Mi5sMiCssmWWx/mjMTl9x0Z6QidnTIpZVaU
igqCGeeIEJlkdKQ+eN21O03Rp0BhdMjwghT+zxaxBwRKdiVoglZ9RQ8Y+E1sf8Rm
VqGEbIaoOFIdr4alCe9X5LKDOMb2szumB8SNtVe5PlyitZGbN07X+ZqxO1tiZThD
I0AcEkx+cvsVkGiDuQj4+VMz5gyLzOjS6lCo6L4u6l9MuM4P8PiBNSmqX/BfO7I=
=DRnt
-----END PGP SIGNATURE-----


More information about the Dnssec-deployment mailing list