[dns-operations] Question to DNSSEC and DLV policy

Ralf Weber denic at eng.colt.net
Thu Mar 19 09:38:09 UTC 2009


On 19.03.2009, at 07:39, Michael Monnerie wrote:
> Do I understand right that I can start with "just" configuring bind to
> resolve DNSSEC and use DLV to do so, without needing to use DNSSEC for
> our zones? That would be a start to use DNSSEC for us. Of course I
> should wait for a patched bind to come around that "unknown algorithm"
> bug.
Yes, you can even just enable DNSSEC on your resolvers and configure
your trust anchors manually from the IANA ITAR and maybe RIPE NCC.

> But how should I ever be able to use DNSSEC for our customers with  
> this
> policy:
> Before it is accepted into the dlv.isc.org zone, ISC will perform  
> checks
> to ensure the keys are being used in the requested zone, that the
> persons making the request are who they claim to be and that they are
> authorised by the domain holder to request the inclusion of the keys  
> in
> the zone.
Difficult, but as said it is absolutely possible to use DNSSEC without
DLV at all. In that case for your own Domains it only would be a
checkbox (DNSSEC zone). Of course that would only make sense in TLDs
that already have DNSSEC (.se, .cz). But you can always try to convince
your local/favorite TLD to do that (nic.at in your case).

> Sorry for the long letter, but I guess lots of other ISPs will have  
> the
> same problem. The fact that we run DNS for our customers should be
> enough to ensure that we "are authorised by the domain holder to  
> request
> the inclusion of the keys in the zone". That is, if you want DNSSEC/ 
> dlv
> to get widely used by ISPs.
DNSSEC and DLV are different things. We e.g plan to deploy DNSSEC  
DLV at all. The plan that we have for deployment probably makes sense  
other ISPs also, so I sketch it out quickly:
- Offer customer an DNSSEC aware alternative resolver. We will use IANA
ITAR ( https://itar.iana.org/ ) and RIPE NCC (
https://www.ripe.net/projects/disi//keys/index.html ) as trust anchors,
but you could also use DLV here.
- Sign our reverse zones and give RIPE our DS records to enable a chain
of trust
- Offer customer DNSSEC signed zones in TLD where we can enable a chain
of trust from the parent.
I'm not committing on any time frames here, but that is the plan we  

So long
Ralf Weber
Platform Infrastructure Manager
Colt Telecom GmbH
Herriotstrasse 4
60528 Frankfurt
DDI: +49 (0)69 56606 2780 Internal OneDial: 8 491 2780
Fax: +49 (0)69 56606 6280
Email: rw at colt.net
Data | Voice | Managed Services

Schütze Deine Umwelt | Erst denken, dann drucken

COLT Telecom GmbH, Herriotstraße 4, 60528 Frankfurt/Main, Deutschland  
* Tel +49 (0)69 56606 0 * Fax +49 (0)69 56606 2222 *

Geschäftsführer: Dr. Jürgen Hernichel (Vors.), Rita Thies *  
Amtsgericht Frankfurt/Main HRB 46123 * USt.-IdNr. DE 197 498 400

More information about the dns-operations mailing list