[dns-operations] Question to DNSSEC and DLV policy

Michael Monnerie michael.monnerie at is.it-management.at
Thu Mar 19 06:39:05 UTC 2009 

I don't know if this question is wanted on this list, as there seem to 
be all kind of DNS gurus who fully understand what's going on. I'm just 
an operator, a small ISP running some hundred (DNS) zones, and had a 
google search about "dlv" (because I did't understand what you are 
talking about) and read this:
https://www.isc.org/solutions/dlv

Do I understand right that I can start with "just" configuring bind to 
resolve DNSSEC and use DLV to do so, without needing to use DNSSEC for 
our zones? That would be a start to use DNSSEC for us. Of course I 
should wait for a patched bind to come around that "unknown algorithm" 
bug.

But how should I ever be able to use DNSSEC for our customers with this 
policy:
Before it is accepted into the dlv.isc.org zone, ISC will perform checks 
to ensure the keys are being used in the requested zone, that the 
persons making the request are who they claim to be and that they are 
authorised by the domain holder to request the inclusion of the keys in 
the zone.

The last part is not resolvable. I guess other ISPs will refrain also 
from using dlv (or DNSSEC if the same policy applies), because there's 
no way we will contact all our customers to let them sign a paper that 
we will use DNSSEC for their zones. They do not care, do not understand, 
and we don't have the time or will to teach them about. 
I'd be willing to do the extra work of generating keys, testing DNSSEC, 
implement it for all zones, include that into dlv and so on, but 
paperwork is absolutely a no-go. Not worth the effort. DNSSEC is 
currently only for the "we're so cool" or "we need security" type of 
customers, where the latter seem to not exist here (at least I never saw 
a customer really caring).

Sorry for the long letter, but I guess lots of other ISPs will have the 
same problem. The fact that we run DNS for our customers should be 
enough to ensure that we "are authorised by the domain holder to request 
the inclusion of the keys in the zone". That is, if you want DNSSEC/dlv 
to get widely used by ISPs.

Maybe this question should go to ISC directly, but my understanding is 
there are enough people on this list to discuss it here. If I'm wrong, 
my apologies, I will contact ISC directly.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc    -----      http://it-management.at
// Tel: 0660 / 415 65 31                      .network.your.ideas.
// PGP Key:         "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net                  Key-ID: 1C1209B4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090319/a716d15c/attachment.sig>

More information about the dns-operations mailing list