[dns-operations] Unplanned DLV zone outage on 2009-Apr-06
Edward Lewis
Ed.Lewis at neustar.biz
Tue Apr 7 02:09:03 UTC 2009
At 8:12 +0900 4/7/09, Randy Bush wrote:
>this is the issue i brought up in the san jose long ago meeting when
>joao first announced dlv. what is the trust model? this has never been
>answered in a satisfatory fashion.
I think you are being a bit harsh here as well as "barking up the wrong tree."
The issue you mention is true but it is not what's been called into
question here. The issues with DLV to date have been mechanical,
software errors. None of the missteps are rooted in policy.
I have my reservations about DLV. But it is providing a valuable
experience. This may sound like an insult, but each misstep that
happens highlights the importance of Secure Entry Point handling. If
you learn from mistakes, you need mistakes to happen.
>though i understand that isc means well with dlv, and is trying to paste
>over a politcal farce with a technical patch, the dlv trust model is
>essentially broken. it moves signed root trust from the iana to isc,
>and, aside from the fact that this very change is serious breakage,
>isc's trust process and policies are unclear.
Even if the root is signed and the TLDs follow suit, there's still a
niche that DLV can fill - the sub-sub zones below unsigned parts.
DNSSEC is coming (again, yes, I know, we've heard that before), but
it is going to take a few years. (At least we are no longer
promising 6 months, that's an improvement.)
DLV is also a good playground for early adopters. Those that can
stand the high risk of this option. These folks are the ones we
"careful folk" learn a lot from. Hopefully they know what they are
stepping into, and we should thank them for that.
I am concerned that BIND has DLV "burned into it." (And to the ISC
folks, I am glossing over all of the technicalities like the user has
to turn it on, etc.) That's a little scary to me that it is so easy
to "get drugs to the kids." This makes it easy for the users of the
verify to become dependent on ISC's policies - but, this is not the
issue. But now it's only a concern to paranoid people like me.
But - at least someone (ISC) is doing more than talk, err write.
They are diving into operations.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
Getting everything you want is easy if you don't want much.
More information about the dns-operations
mailing list