Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt

To: David Conrad <drc at virtualized.org>
Subject: Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt
From: Mark Andrews <Mark_Andrews at isc.org>
Date: Thu, 30 Aug 2007 10:07:05 +1000
Cc: IETF-Discussion <ietf at ietf.org>, iesg at ietf.org
In-reply-to: Your message of "Wed, 29 Aug 2007 16:43:24 MST." <FD055CF4-5012-43D3-A0BC-0518A80A8972@virtualized.org>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>

> Mark,
> 
> On Aug 29, 2007, at 4:23 PM, Mark Andrews wrote:
> >> If the root gets signed and you remove the DLV stuff, won't you break
> >> any caching resolver that still has the DLV trust anchor configured?
> > 	No.  Please re-read the quoted paragraph.  The root's DLV
> > 	will be there.
> 
> Please re-read my question.
> 
> >
> > 	You only need DLV records where there is a missing link in the
> > 	trust chain.  If you have "." you don't need a DLV for "se" as
> > 	there will be a DS for "se" in the root zone.
> 
> Perhaps surprisingly, I understand this.
> 
> My question, somewhat expanded, is:
> 
> If you configure a trust anchor for "the" DLV registry and at some  
> point in time in the future, that DLV registry ceases to function  
> _and you have not changed the trust anchor configuration_, won't  
> validation fail?
> 
> The point of this question:
> 
> If you start mucking about with production services that require  
> configuration on the part of system administrators (particularly in  
> the somewhat arcane world of DNSSEC trust anchors), it can become  
> quite difficult to stop that production service without breaking  
> stuff.  Is this a place we want to go for a temporary hack?
> 
> Thanks,
> -drc
> 

	We were well aware of that.  A minimal DLV is a signed empty
	zone.  Agressive negative caching will reduce the query
	load to 1 query per neg ttl.  ~1 query every 3 hours with
	current defaults.

	Once you are in the DLV registry business you are in it for
	the long haul.  I expect it would take years to taper off.

	ISC also has a mailing list to inform people of roll overs
	on the DLV trust anchor.  This same list can be used to
	inform people that the DLV registry is shutting down
	(going to minimial state).

	If one wants to force the issue one lets the RRSIG expire
	which will break resolution for anything for which there is
	not a trust chain from a alternate trust anchor.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

References:
- Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt
  - From: David Conrad

Prev by Date: Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt
Next by Date: Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt
Previous by thread: Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt
Next by thread: Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.