[Dnssec-deployment] DLV - it's not just for hostnames.

Osterweil, Eric eosterweil at verisign.com
Thu Jun 23 10:58:00 EDT 2011




On 6/15/11 3:46 AM, "W.C.A. Wijngaards" <wouter at nlnetlabs.nl> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Michael,
> 
> On 06/14/2011 08:41 PM, Michael Sinatra wrote:
>> Speaking strictly from a technical perspective, I don't see a lot of
>> contradiction in what ISC is saying.  In testing ISC's name server
>> implementation (BIND), when configured to do both DLV and with a root
>> trust-anchor, it follows the "traditional" chain of trust first.  If it
>> can validate using the tradtional method, it doesn't even touch DLV.  So
>> even if DLV ostensibly stays around, the amount of use it gets, and the
>> amount I rely upon it will continue to get crowded out as more zones are
>> signed with traditional DSes in their parents.  I am pretty sure unbound
>> works the same way, but someone can confirm that.
> 
> Yes, if a DS exists then it does not bother the DLV server.  Also there
> is negative caching, to help the DLV server.
> 
> FWIW, I think the DLV is a deployment helper that has not seen its end;
> good to see increase in enthousiasm about DNSSEC.  And the expired is
> hopefully the experimental nature of test-domains registered ... Our
> local resolver mainly sees the 999 broken-by-purpose domains created for
> testing with validation failures, using the root anchor for normal
> traffic (or what is normal for a DNS lab).
> 
> verisigns (linky from Duane if he does not mind me reposting it)
> http://scoreboard.verisignlabs.com/count-trace.png graph also increases.
> 
> sec-spider http://secspider.cs.ucla.edu/images/growth.png shows an
> increase as well.  For expired, this is the graph to look at, I believe:
> http://secspider.cs.ucla.edu/images/vuln-rrsets.png
> That is logscale, so, looks allright and something for best-practices,
> monitoring of the stuff (just like you should have been doing for
> regular DNS all along).  Plain link to secspider
> http://secspider.cs.ucla.edu/ for the curious, although I am not sure
> the project continues or if I should be posting links to it.



It is still a live project, though undergoing silent upgrades.  Thanks for
the pointers.  :)

Eric



More information about the Dnssec-deployment mailing list