[dns-operations] Unplanned DLV zone outage on 2009-Apr-06

Mark Andrews Mark_Andrews at isc.org
Tue Apr 7 00:05:26 UTC 2009


In message <m263hhpea3.wl%randy at psg.com>, Randy Bush writes:
> >>> We plan to continue to test and improve our internal procedures,
> >>> monitoring and hardware platform over the next two weeks, at which
> >>> point the service will be announced as being in Full Production.
> >> I'm curious: what does "being in Full Production" mean?
> > hasn't the word gotten down to you yet?  isc is taking over icann, and
> > with it, the iana.
> 
> a friend has whacked me that i am being too terse and subtle again.
> 
> this is the issue i brought up in the san jose long ago meeting when
> joao first announced dlv.  what is the trust model?  this has never been
> answered in a satisfatory fashion.

	Data is accepted if you can prove you have control of the
	nameservers for the zone.  We also pull in the ITAR contents.
 
> though i understand that isc means well with dlv, and is trying to paste
> over a politcal farce with a technical patch, the dlv trust model is
> essentially broken.  it moves signed root trust from the iana to isc,
> and, aside from the fact that this very change is serious breakage,
> isc's trust process and policies are unclear.

	No it doesn't.  When IANA signs the root and you add the
	trusted keys for the root to named.conf named won't look
	in the DLV to validate answers that are part of the island
	of security identified by the root's trusted key.

	This applies for all trusted-keys.  Named only looks in the
	DLV if the answer is insecure using the configured trusted
	keys.

	We would love to have the root and org signed as then it
	wouldn't be necessary to have a trusted key for dlv.isc.org
	unless you wanted one.

	DLV bridges the gaps in the DNSSEC trust paths.  It doesn't
	replace the DNSSEC trust paths.  At the moment there is a
	gap at the root.

	Mark
 
> randy
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list