[dns-operations] Unplanned DLV zone outage on 2009-Apr-06

Paul Vixie vixie at isc.org
Tue Apr 7 06:48:31 UTC 2009

[randy bush]
> let me try again, i do not think it can be fixed.  this is what i was
> trying to say in the following:
> >[randy bush]
> >> imiho, we can not do that without recreating the iana.  and the iana
> >> we have works pretty well, especially if we can get it detached from
> >> the usg and the icann.  so fix it rather than rediscovering how such
> >> things get broken.
> we need to fix the remaining issues with the iana not try to supplant it.
> in attempting to build a trust model to supplant it, we will rediscover
> why the iana is what/how it is.
> when george says to me "harry's widgets are too expensive.  i can do them
> for half the price." nine times out of ten, george is gonna discover why
> harry's widgets are priced the way they are.  the devil is in the
> details.

in those terms DLV is a bet against "fixing IANA".  when david conrad first
told me about the approach we now call DLV, i knew that ISC had the ability
through some protocol work and some software work and some operations work
to make conrad's proposed mechanism work.  sadly, i also knew we'd have to
fund it through grants, since a registration fee would poison our apparent

folks behind the scenes can all nod their heads when i say, i'm still trying
to "fix IANA" if by that you mean get the root zone signed and get the TLDs
signed and make DLV irrelevant.  but i am betting against that effort.  i do
not think the world is ready for a signed root because the world keeps asking
itself the question "how would this change the shape of the conference table?"

so DLV is a bet that people really do want DNSSEC and that the root really
will not be signed in production fast enough to address that need.  it's a
bet i'd be happy to lose, and losing it wouldn't cost ISC a penny.  but i
don't think we can "fix IANA" (if by that you mean sign the root and a
bunch of TLDs) fast enough to meet the world's appetite for DNSSEC.  so i'm
betting that DLV will have even more relevance in the years to come.

i sometimes sit in the same meeting room with the IANA GM and i've found each
of them to be skilled, capable, competent... and hamstrung by politics.  DLV
has no such strings.  when ISC started importing ITAR from IANA we knew that
we could trust IANA's relationships with the TLD operators who supplied those
keys, and we could trust IANA's verification that those keys were correct and
that those keys were intended to be used.  i am a great respector of IANA both
now and in the past and for the future.  i am not a respector of the politics
that has hamstrung, now hamstrings, and will hamstring IANA through the ages.

you'd be right if you called that lack of respect "naive".  i was heartened
to hear you use the words "well intentioned".  but it sounds like you don't
have any specific gripes against ISC's key management policies (as in, who we
trust and why, and what an appearance of a DLV RR in the DLV registry means.)
barring such specifics, let's move on.

More information about the dns-operations mailing list