[Dnssec-deployment] Size of dlv.isc.org [was: Re:DLV and in-addr.arpa]
marka at isc.org
Tue Jun 14 21:24:47 EDT 2011
In message <4DF7CD59.3090607 at isc.org>, Michael Graff writes:
> On 6/14/11 3:32 PM, Paul Wouters wrote:
> > On Tue, 14 Jun 2011, Michael Graff wrote:
> >> The same in graphical form:
> >> https://dlv.isc.org/system/dnskey_history.png
> > wow. 20% of DNSSEC domain in DLV are broken? That's a very sad statistic.
> > Are those brokem ones suspended from DLV? Or are they just left broken?
> They are emailed frequently, but if after some time they are removed. I
> believe the timer is 14 days.
> Most of the failures are related to not falling back to TCP, or people
> enter keys into DLV then remove them. The expired ones show the sad
> state of the world -- even with normal DNSSEC, expired signatures will
> cause outages.
> As with the difference between AFS (which I loved) and NFS (which I
> used), the failure modes between "plain DNS" and DNSSEC are drastic and
One also has to compare this to the percentage of broken delegations
in plain DNS. If registries pulled broken delegations that remained
broken after a grace period to have them fixed I think we would all
be better off.
* mis-matching NS RRsets.
* glue without matching address records in the zone.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment