[Dnssec-deployment] Size of dlv.isc.org [was: Re:DLV and in-addr.arpa]
mgraff at isc.org
Tue Jun 14 17:06:33 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 6/14/11 3:32 PM, Paul Wouters wrote:
> On Tue, 14 Jun 2011, Michael Graff wrote:
>> The same in graphical form:
> wow. 20% of DNSSEC domain in DLV are broken? That's a very sad statistic.
> Are those brokem ones suspended from DLV? Or are they just left broken?
They are emailed frequently, but if after some time they are removed. I
believe the timer is 14 days.
Most of the failures are related to not falling back to TCP, or people
enter keys into DLV then remove them. The expired ones show the sad
state of the world -- even with normal DNSSEC, expired signatures will
As with the difference between AFS (which I loved) and NFS (which I
used), the failure modes between "plain DNS" and DNSSEC are drastic and
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Dnssec-deployment