[dns-operations] Unplanned DLV zone outage on 2009-Apr-06

Edward Lewis Ed.Lewis at neustar.biz
Tue Apr 7 02:09:03 UTC 2009

At 8:12 +0900 4/7/09, Randy Bush wrote:

>this is the issue i brought up in the san jose long ago meeting when
>joao first announced dlv.  what is the trust model?  this has never been
>answered in a satisfatory fashion.

I think you are being a bit harsh here as well as "barking up the wrong tree."

The issue you mention is true but it is not what's been called into 
question here.  The issues with DLV to date have been mechanical, 
software errors.  None of the missteps are rooted in policy.

I have my reservations about DLV.  But it is providing a valuable 
experience.  This may sound like an insult, but each misstep that 
happens highlights the importance of Secure Entry Point handling.  If 
you learn from mistakes, you need mistakes to happen.

>though i understand that isc means well with dlv, and is trying to paste
>over a politcal farce with a technical patch, the dlv trust model is
>essentially broken.  it moves signed root trust from the iana to isc,
>and, aside from the fact that this very change is serious breakage,
>isc's trust process and policies are unclear.

Even if the root is signed and the TLDs follow suit, there's still a 
niche that DLV can fill - the sub-sub zones below unsigned parts. 
DNSSEC is coming (again, yes, I know, we've heard that before), but 
it is going to take a few years.  (At least we are no longer 
promising 6 months, that's an improvement.)

DLV is also a good playground for early adopters.  Those that can 
stand the high risk of this option.  These folks are the ones we 
"careful folk" learn a lot from.  Hopefully they know what they are 
stepping into, and we should thank them for that.

I am concerned that BIND has DLV "burned into it."  (And to the ISC 
folks, I am glossing over all of the technicalities like the user has 
to turn it on, etc.)  That's a little scary to me that it is so easy 
to "get drugs to the kids."  This makes it easy for the users of the 
verify to become dependent on ISC's policies - but, this is not the 
issue.  But now it's only a concern to paranoid people like me.

But - at least someone (ISC) is doing more than talk, err write. 
They are diving into operations.

Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.

More information about the dns-operations mailing list