[dns-operations] Unplanned DLV zone outage on 2009-Apr-06

Paul Vixie vixie at isc.org
Tue Apr 7 00:35:09 UTC 2009


> this is the issue i brought up in the san jose long ago meeting when joao
> first announced dlv.  what is the trust model?  this has never been
> answered in a satisfatory fashion.

in san jose, your question got an answer from joao which is that if we can
verify that a key belongs to the owner of a zone and that the owner wants
it published, we publish it.  i know that this answer isn't much better
than your question, but upon reflection i wonder if you could ask a better
question so that isc (probably in the person of michael graff, incoming ISC
DLV programme manager) can provide a better answer.  it's a necessary and
useful discussion to have.

> though i understand that isc means well with dlv, and is trying to paste
> over a politcal farce with a technical patch, the dlv trust model is
> essentially broken.  it moves signed root trust from the iana to isc,
> and, aside from the fact that this very change is serious breakage, isc's
> trust process and policies are unclear.
> 
> randy

interestingly, the set of people who are convinced that icann is trying to
take over the world generally does not overlap with the set of people who
are convinced that isc is trying to take over the world.  i think this
means that the dlv trust model, if it is broken, is technically broken
rather than politically broken.  but foregoing all that for now, let's find
out if the trust model is broken, and if there's general agreement on that,
let's fix it.

paul



More information about the dns-operations mailing list