[dns-operations] Unplanned DLV zone outage on 2009-Apr-06
Samuel Weiler
weiler at watson.org
Tue Apr 7 18:05:16 UTC 2009
First, I'll echo Lutz's comments about FUD based on ISC's activities.
There's nothing inherent in the DLV protocol extensions that says you
have to query ISC's DLV registry. If you don't care for their single
point of failure, add some redundancy to the world by running another
registry. DLV was specifically designed for multiple modes of use,
including using private DLV registries to distribute trust anchors
within an enterprise and using multiple DLV registries for redundancy
and better coverage of the namespace.
On Tue, 7 Apr 2009, Joe Abley wrote:
> I tried to track down the answers to the following by reading documentation,
> but I failed (which probably has more to do with me than the documentation).
You might have better luck with RFC5074. For a description of the
known differences between it and the ISC code, see:
http://mail.shinkuro.com:8100/lists/dnssec-deployment/Message/1253.html?Language=
> Can you configure multiple DLV zones on an unbound or BIND9
> validator? What's the behaviour in the case that data exists in just
> one DLV zone, and what's the behaviour if multiple DLV zones contain
> different data? What about if one DLV zone is inaccessible, but
> others aren't?
RFC5074 section 7 talks about how to do it, but, as far as I know, no
shipping code handles multiple (or overlapping) DLV domains. If the
world had multiple useful DLV registries, I imagine that resolver
vendors might implement better support for them.
-- Sam
More information about the dns-operations
mailing list