[dns-operations] Florian Weimer: Re: On-going Internet Emergency and Domain Names

[Florian Weimer]

* Paul Vixie:

>> From: Florian Weimer <fw at deneb.enyo.de>
>> 
>> Well, once more people learn about DLV (especially the NS override
>> extension that has been requested by zone operators),
>
> do tell?  as the primary promulgator of dlv i'd've expected to hear about
> anything with a sexy name like "NS override extension".

The basic issue, as I understand it, is that zone operators don't want
to serve the DNSSEC-enabled zone from their regular name servers.
They'd rather want to set up a completely separate infrastructure.

Stephane can probably explain it better.

> yes but davidu or any of the DHT people could role something like
> this out in their own nameservers, and probably have suggestions for
> a scalable poison system using hashes to avoid flooding the whole
> network with reputation traffic.  it's worth listening to these
> ideas even if there's no way to get instantly gratifying traction on
> them this week.

I would rather see resolvers made authoritative for the lookaside
zones.  From a privacy point of view, this is preferable because
queries don't leak to new parties.  On the other hand, this makes it
more difficult to release emergency updates.

I not sure if DHTs are the answer here because we deal with
intrinsically bad records which might have been devised to trigger
algorithmic complexity issues.