[Dnssec-deployment] Size of dlv.isc.org [was: Re:DLV and in-addr.arpa]
Mark Andrews
marka at isc.org
Tue Jun 14 21:24:47 EDT 2011
In message <4DF7CD59.3090607 at isc.org>, Michael Graff writes:
> On 6/14/11 3:32 PM, Paul Wouters wrote:
> > On Tue, 14 Jun 2011, Michael Graff wrote:
> >
> >> The same in graphical form:
> >>
> >> https://dlv.isc.org/system/dnskey_history.png
> >
> > wow. 20% of DNSSEC domain in DLV are broken? That's a very sad statistic.
> >
> > Are those brokem ones suspended from DLV? Or are they just left broken?
>
> They are emailed frequently, but if after some time they are removed. I
> believe the timer is 14 days.
>
> Most of the failures are related to not falling back to TCP, or people
> enter keys into DLV then remove them. The expired ones show the sad
> state of the world -- even with normal DNSSEC, expired signatures will
> cause outages.
>
> As with the difference between AFS (which I loved) and NFS (which I
> used), the failure modes between "plain DNS" and DNSSEC are drastic and
> unknowns.
One also has to compare this to the percentage of broken delegations
in plain DNS. If registries pulled broken delegations that remained
broken after a grace period to have them fixed I think we would all
be better off.
Broken delegation:
* mis-matching NS RRsets.
* glue without matching address records in the zone.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment
mailing list