[Dnssec-deployment] DLV - it's not just for hostnames.
Osterweil, Eric
eosterweil at verisign.com
Thu Jun 23 10:58:00 EDT 2011
On 6/15/11 3:46 AM, "W.C.A. Wijngaards" <wouter at nlnetlabs.nl> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Michael,
>
> On 06/14/2011 08:41 PM, Michael Sinatra wrote:
>> Speaking strictly from a technical perspective, I don't see a lot of
>> contradiction in what ISC is saying. In testing ISC's name server
>> implementation (BIND), when configured to do both DLV and with a root
>> trust-anchor, it follows the "traditional" chain of trust first. If it
>> can validate using the tradtional method, it doesn't even touch DLV. So
>> even if DLV ostensibly stays around, the amount of use it gets, and the
>> amount I rely upon it will continue to get crowded out as more zones are
>> signed with traditional DSes in their parents. I am pretty sure unbound
>> works the same way, but someone can confirm that.
>
> Yes, if a DS exists then it does not bother the DLV server. Also there
> is negative caching, to help the DLV server.
>
> FWIW, I think the DLV is a deployment helper that has not seen its end;
> good to see increase in enthousiasm about DNSSEC. And the expired is
> hopefully the experimental nature of test-domains registered ... Our
> local resolver mainly sees the 999 broken-by-purpose domains created for
> testing with validation failures, using the root anchor for normal
> traffic (or what is normal for a DNS lab).
>
> verisigns (linky from Duane if he does not mind me reposting it)
> http://scoreboard.verisignlabs.com/count-trace.png graph also increases.
>
> sec-spider http://secspider.cs.ucla.edu/images/growth.png shows an
> increase as well. For expired, this is the graph to look at, I believe:
> http://secspider.cs.ucla.edu/images/vuln-rrsets.png
> That is logscale, so, looks allright and something for best-practices,
> monitoring of the stuff (just like you should have been doing for
> regular DNS all along). Plain link to secspider
> http://secspider.cs.ucla.edu/ for the curious, although I am not sure
> the project continues or if I should be posting links to it.
It is still a live project, though undergoing silent upgrades. Thanks for
the pointers. :)
Eric
More information about the Dnssec-deployment
mailing list