[dns-operations] Problems resolving .gov using DLV

Jelte Jansen jelte at NLnetLabs.nl
Tue Mar 17 10:23:13 UTC 2009

Keith Mitchell wrote:
> Since this is clearly causing operational pain for various people, we
> (ISc as DLV provider) have temporarily rolled .gov out of DLV. We have a
> number of ideas for work-arounds (and more ideas/suggestions welcome)
> which should allow behavior to be less surprising/more useful for DLV
> users running non-NSEC3 servers such as pre-BIND9.6.0, at least until
> folks have had a chance to upgrade.
> Rather than leap at one of these work-arounds, we want to just do a
> little sanity checking first as to the best approach(es), and that
> the(ir) implementation is sound. Once we've done that (the plan is in a
> few days) we will make a further announcement here, with a short-term
> timeline for re-inserting .gov into DLV.

It seems to me that this is an oversight in the specification (which I
admit have not read for a long time), I would personally expect DLV keys
to be handled like 'normal' delegated keys; i.e. unknown algorithm ==
insecure. Or am I misinterpreting what is happening here?

Of course that statement does not help the current situation, but unless
there are strong arguments against it I would suggest changing the way
DLV keys are interpreted.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090317/a46a414f/attachment.sig>

More information about the dns-operations mailing list