[dns-operations] Unplanned DLV zone outage on 2009-Apr-06
Mark_Andrews at isc.org
Wed Apr 15 08:40:15 UTC 2009
In message <20090415072108.GA31007 at belenus.iks-jena.de>, Lutz Donnerhacke writes:
> On Wed, Apr 15, 2009 at 11:42:46AM +1000, Mark Andrews wrote:
> > * Lutz Donnerhacke writes:
> > > * Jeremy C. Reed wrote:
> > > > What happens if the unknowing zone decided to become unsigned but the DLV
> > > > still indicates that it should be signed? (Due to no relationship and
> > > > communication with the DLV.)
> > >
> > > That's a main problem, if RFC 5011 is not applied by the registrant.
> > > DLVs are a simple part of this mine field. The various trustman
> > > implementations out there are the unpredictable part.
> > RFC 5011 is not needed in a DLV/parent relationship.
> > RFC 5011 is useful in one-to-unknown.
> The question above is about a DLV without any relationship with the
> registrant. Therefor RFC 5011 applies.
You can't use RFC 5011 without knowing that RFC 5011 is in use.
> OTOH even your(ISC) DLV is going to deploy RFC 5011.
ISC is going to deploy RFC 5011 techniques for the dvl.isc.org
trust-anchor. It will support, but not require, RFC 5011
for entries in the DLV. For instance, I will not be using
RFC 5011 for my own zones in ISC's DLV. I will manage them
through the web interface. I think RFC 5011 is overkill
for parent/child and DLV/zone relationships.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations