[Dnssec-deployment] DLV - it's not just for hostnames.

W.C.A. Wijngaards wouter at nlnetlabs.nl
Wed Jun 15 03:46:52 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

On 06/14/2011 08:41 PM, Michael Sinatra wrote:
> Speaking strictly from a technical perspective, I don't see a lot of
> contradiction in what ISC is saying.  In testing ISC's name server
> implementation (BIND), when configured to do both DLV and with a root
> trust-anchor, it follows the "traditional" chain of trust first.  If it
> can validate using the tradtional method, it doesn't even touch DLV.  So
> even if DLV ostensibly stays around, the amount of use it gets, and the
> amount I rely upon it will continue to get crowded out as more zones are
> signed with traditional DSes in their parents.  I am pretty sure unbound
> works the same way, but someone can confirm that.

Yes, if a DS exists then it does not bother the DLV server.  Also there
is negative caching, to help the DLV server.

FWIW, I think the DLV is a deployment helper that has not seen its end;
good to see increase in enthousiasm about DNSSEC.  And the expired is
hopefully the experimental nature of test-domains registered ... Our
local resolver mainly sees the 999 broken-by-purpose domains created for
testing with validation failures, using the root anchor for normal
traffic (or what is normal for a DNS lab).

verisigns (linky from Duane if he does not mind me reposting it)
http://scoreboard.verisignlabs.com/count-trace.png graph also increases.

sec-spider http://secspider.cs.ucla.edu/images/growth.png shows an
increase as well.  For expired, this is the graph to look at, I believe:
http://secspider.cs.ucla.edu/images/vuln-rrsets.png
That is logscale, so, looks allright and something for best-practices,
monitoring of the stuff (just like you should have been doing for
regular DNS all along).  Plain link to secspider
http://secspider.cs.ucla.edu/ for the curious, although I am not sure
the project continues or if I should be posting links to it.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJN+GNsAAoJEJ9vHC1+BF+NYnYP/0adwrKOa1JjGBioRgxOg36/
A2qVwE4QyKHJpee3moMLfvVg5CnGH0yFLpimII6QEhndFVyF4ICq9LFn4OxA0/w9
OymmJeZ2DNfLqfEQV557hxrWvj+c4nOb6RO6yfCt7//ePl1EsKdg2wrNaPjlemA7
+eC6fdYdVh99JjXxWyyYZ0NeZG0KSSetnys6854Ab9TePdFqoFYoYMROoq/E9st1
MAlJ9EPJxlOSgyP8F+TZ/UhifJtnMuRnFSbqA/16YoK++s4HjXEgTIqPcZekpzjM
VPUl5mcJKgDWJ6jU+yETjRQhVWRQ4NSmDj1GtYppaqASKA+u5aZCwHhWEu0rtZ3P
1X59tare/keVuyJMF+hZSw+0uZkKma0xNg7Wjvt1bgORnZV5XetWPbgVjIwPON2R
ACjUlyz8sFd5fYrdEnPaO2URrCBp3J4OxN4LLcNmFpJK1EMnB9j4TQVIae/kC315
QQrvQq8jNrDWcq4IJCrbQXa+CAYrH9XnB3rNbNIn1gWNDGQR34vLZu+WzSMlp+hb
l6Iy1c66FxXmsaylwIERUYa4VTH2QxjbJl0fBLBi2U+nzIcRY0lEvUKjOTJno2QP
Pb0vTtbycxvTlTqrA1PB5C6Y5I9gOtYpzZqvLCT6o/zIumabUCgS0KMV7/TE3I9K
kVSA3TUVhiK3tdoyovD2
=JXeH
-----END PGP SIGNATURE-----


More information about the Dnssec-deployment mailing list