[dns-operations] Florian Weimer: Re: On-going Internet Emergency and Domain Names
fw at deneb.enyo.de
Sun Apr 1 16:14:01 UTC 2007
* Paul Vixie:
>> From: Florian Weimer <fw at deneb.enyo.de>
>> Well, once more people learn about DLV (especially the NS override
>> extension that has been requested by zone operators),
> do tell? as the primary promulgator of dlv i'd've expected to hear about
> anything with a sexy name like "NS override extension".
The basic issue, as I understand it, is that zone operators don't want
to serve the DNSSEC-enabled zone from their regular name servers.
They'd rather want to set up a completely separate infrastructure.
Stephane can probably explain it better.
> yes but davidu or any of the DHT people could role something like
> this out in their own nameservers, and probably have suggestions for
> a scalable poison system using hashes to avoid flooding the whole
> network with reputation traffic. it's worth listening to these
> ideas even if there's no way to get instantly gratifying traction on
> them this week.
I would rather see resolvers made authoritative for the lookaside
zones. From a privacy point of view, this is preferable because
queries don't leak to new parties. On the other hand, this makes it
more difficult to release emergency updates.
I not sure if DHTs are the answer here because we deal with
intrinsically bad records which might have been devised to trigger
algorithmic complexity issues.
More information about the dns-operations