[dns-operations] Unplanned DLV zone outage on 2009-Apr-06

Samuel Weiler weiler at watson.org
Tue Apr 7 18:05:16 UTC 2009


First, I'll echo Lutz's comments about FUD based on ISC's activities. 
There's nothing inherent in the DLV protocol extensions that says you 
have to query ISC's DLV registry.  If you don't care for their single 
point of failure, add some redundancy to the world by running another 
registry.  DLV was specifically designed for multiple modes of use, 
including using private DLV registries to distribute trust anchors 
within an enterprise and using multiple DLV registries for redundancy 
and better coverage of the namespace.

On Tue, 7 Apr 2009, Joe Abley wrote:

> I tried to track down the answers to the following by reading documentation, 
> but I failed (which probably has more to do with me than the documentation).

You might have better luck with RFC5074.  For a description of the 
known differences between it and the ISC code, see:
http://mail.shinkuro.com:8100/lists/dnssec-deployment/Message/1253.html?Language=

> Can you configure multiple DLV zones on an unbound or BIND9 
> validator? What's the behaviour in the case that data exists in just 
> one DLV zone, and what's the behaviour if multiple DLV zones contain 
> different data? What about if one DLV zone is inaccessible, but 
> others aren't?

RFC5074 section 7 talks about how to do it, but, as far as I know, no 
shipping code handles multiple (or overlapping) DLV domains.  If the 
world had multiple useful DLV registries, I imagine that resolver 
vendors might implement better support for them.

-- Sam



More information about the dns-operations mailing list