[dns-operations] Why I use the DLV

Tue Apr 7 18:47:07 UTC 2009

I have had to think about this lately anyway, so I thought I would
briefly put my thoughts down as to why I am using the ISC DLV for UC
Berkeley's caching nameserver DNSSEC validation.

o Overall the DLV has been reliable.  For 6 months, we used the DLV in
limited and eventually full production with zero problems.  The recent
failures detract somewhat from that track record, but do not negate it.
 (And the .gov problem was a coding issue in BIND, not an operational
DLV issue per se.)

o I believe DNSSEC needs to happen, it's feasible, and it needs to
happen sooner rather than later.  DNSSEC won't happen with hand-wringing
and it won't happen with endless discussions of chicken-and-egg
problems.  It will only happen if we bother to implement it ourselves.
I think the current threads on dns-operations@ are providing useful
discussion, but let's keep in mind that a lot of this discussion
wouldn't happen if some of us weren't actually using the DLV.

o I personally trust ISC.  I have discussed the DLV with enough of the
staff and with its President, and I know enough about the operation to
be confident in what they're doing.  UC Berkeley is a member of the BIND
Forum.  I don't expect others to have the same level of trust just
because I do.  Use of the DLV was a choice I made after considering
alternatives and investigating risks.

o I believe UC Berkeley, as a public and slightly-taxpayer-funded
institution, should be willing to be early adopters of technologies,
especially with respect to the Internet.  We should be willing to take
some reasonable risk in doing so.  I believe with the two failures we
have had, a lot has been learned about DNSSEC.  Perhaps ironically (or
maybe on could consider it luck), I spoke to campus IT administrators
about DNSSEC about 2 weeks before the .gov failure.  In that talk I
noted emphatically that DNSSEC will expose the world to new and
"interesting" DNS failure modes, but that the community would ultimately
work through those issues and make DNSSEC more robust and the Internet
more secure.

I also acknowledge that UC Berkeley, as a public and
slightly-taxpayer-funded institution, should not be exposed to undue
risk.  Having its caching nameservers effectively break on a Saturday
night may not be as big a problem as if it happened in the middle of the
day, but I recognize that it's a significant issue.  I believe that
there are steps I can take to mitigate the risk.  I may even go so far
as to build my own trust-anchor repository by using known trusted
sources or by enumerating dlv.isc.org.  In that respect, I would still
be trusting ISC's key verification policies, but I wouldn't be exposing
my institution to the full spectrum of risk identified by David Conrad.
 Even if I don't query the DLV directly, I will still be using it.

What I am trying to say is that you don't have to drink _all_ of the
kool-aid to still make good use of DNSSEC and even the DLV.  So when we
talk about the different trust and operational issues, we can also think
about ways to mitigate them without throwing the baby out with the
bathwater.

michael