[dns-operations] Question to DNSSEC and DLV policy

Mark Andrews Mark_Andrews at isc.org
Thu Mar 19 11:13:03 UTC 2009


In message <200903191142.11609 at zmi.at>, Michael Monnerie writes:
> On Donnerstag 19 M=E4rz 2009 Ralf Weber wrote:
> > DNSSEC and DLV are different things. We e.g plan to deploy DNSSEC 
> > without
> > DLV at all. The plan that we have for deployment probably makes sense
> > for
> > other ISPs also, so I sketch it out quickly:
> > - Offer customer an DNSSEC aware alternative resolver. We will use
> > IANA ITAR ( https://itar.iana.org/ ) and RIPE NCC (
> > https://www.ripe.net/projects/disi//keys/index.html ) as trust
> > anchors, but you could also use DLV here.
> 
> So DLV, ITAR and NCC are all the same, just from different sources?

	DLV and ITAR are third party collections of trust anchors.
	NCC is a first party collection of trust anchors.
 
> As I understand it, DLV provides a "shortcut" to domains within TLDs
> which do not provide DNSSEC so far. I could use DNSSEC for my zmi.at
> despite .at not providing DNSSEC today by entering zmi.at into dlv. Is
> that correct?

	DLV provides a place to register your zone if your parent
	doesn't support DNSSEC yet and/or they charge too much.

	DLV provides a easy mechanism to get at lots of trust anchors
	without having discover and track each of them yourself.

	Mark

> mfg zmi
> -- =
> 
> // Michael Monnerie, Ing.BSc    -----      http://it-management.at
> // Tel: 0660 / 415 65 31                      .network.your.ideas.
> // PGP Key:         "curl -s http://zmi.at/zmi.asc | gpg --import"
> // Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
> // Keyserver: wwwkeys.eu.pgp.net                  Key-ID: 1C1209B4
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list