[dns-operations] Unplanned DLV zone outage on 2009-Apr-06

Paul Vixie vixie at isc.org
Wed Apr 15 00:47:42 UTC 2009

> > How often are they verified?
> We crawl 2-3 times per week.

since you're simply scraping, you have no way to know whether the keys
you're getting are the ones that domain owners want used.  i would very
much prefer that you fully divorce your scraping project from DLVs and
TARs, such as by not entering any discussion related to operational
security, and by not publishing your scrape results in DLV format.

i understand the excitement around DNSKEY RRs.  several scrapers out
there like to populate their local validators with trust anchors that
are opportunistically witnessed or scraped.  but there are reasons why
DNSSEC wasn't opportunistic in this way, and those of you who are
scraping really ought to clearly label your results as "for research
and measurement only".

More information about the dns-operations mailing list