[dns-operations] Question to DNSSEC and DLV policy

Thu Mar 19 11:27:08 UTC 2009

* Michael Monnerie wrote:
> As I understand it, DLV provides a "shortcut" to domains within TLDs
> which do not provide DNSSEC so far.

It's a bit more general: DLVs fill the gaps in the signed delegation chain.
Such gaps can occur for two main reasons:
  - Intermediate zone is not signed.
     + There is no interest in DNSSEC.
     + Legal department does not allow signing for various reasons.
     + Organisational issues prevent a signing.
     + Operational department did not feel good enough to go productive.
  - Intermediate zone does not contain the DS record for the next chain link.
     + Child zone does not want to have the DS record at the parent.
     + Child zone made an operational error in parent communication.
     + Parent zone made an operational error in zone maintainence.