[Dnssec-deployment] DLV - it's not just for hostnames.
wouter at nlnetlabs.nl
Wed Jun 15 03:46:52 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 06/14/2011 08:41 PM, Michael Sinatra wrote:
> Speaking strictly from a technical perspective, I don't see a lot of
> contradiction in what ISC is saying. In testing ISC's name server
> implementation (BIND), when configured to do both DLV and with a root
> trust-anchor, it follows the "traditional" chain of trust first. If it
> can validate using the tradtional method, it doesn't even touch DLV. So
> even if DLV ostensibly stays around, the amount of use it gets, and the
> amount I rely upon it will continue to get crowded out as more zones are
> signed with traditional DSes in their parents. I am pretty sure unbound
> works the same way, but someone can confirm that.
Yes, if a DS exists then it does not bother the DLV server. Also there
is negative caching, to help the DLV server.
FWIW, I think the DLV is a deployment helper that has not seen its end;
good to see increase in enthousiasm about DNSSEC. And the expired is
hopefully the experimental nature of test-domains registered ... Our
local resolver mainly sees the 999 broken-by-purpose domains created for
testing with validation failures, using the root anchor for normal
traffic (or what is normal for a DNS lab).
verisigns (linky from Duane if he does not mind me reposting it)
http://scoreboard.verisignlabs.com/count-trace.png graph also increases.
sec-spider http://secspider.cs.ucla.edu/images/growth.png shows an
increase as well. For expired, this is the graph to look at, I believe:
That is logscale, so, looks allright and something for best-practices,
monitoring of the stuff (just like you should have been doing for
regular DNS all along). Plain link to secspider
http://secspider.cs.ucla.edu/ for the curious, although I am not sure
the project continues or if I should be posting links to it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Dnssec-deployment