[dns-operations] Question to DNSSEC and DLV policy

Thu Mar 19 14:09:14 UTC 2009

Michael Monnerie wrote:

> Do I understand right that I can start with "just" configuring bind 
> to resolve DNSSEC and use DLV to do so, without needing to use DNSSEC
>  for our zones? That would be a start to use DNSSEC for us.

This would let you do DNSSEC validation of others' zones, though not
enable anyone else to do validation of your own customer zones.

> Of course I should wait for a patched bind to come around that 
> "unknown algorithm" bug.

BIND patches are ready, announcement imminent :-)

> But how should I ever be able to use DNSSEC for our customers with 
> this policy: Before it is accepted into the dlv.isc.org zone, ISC 
> will perform checks to ensure the keys are being used in the 
> requested zone, that the persons making the request are who they 
> claim to be and that they are authorised by the domain holder to 
> request the inclusion of the keys in the zone.

In an ideal world, end-user customers would never have to deal with
Trust Anchor Repositories (TARs) directly - this would all be handled
implicitly in the namespace by TLD registries and registrars as part of
standard domain registration. However, in the absence of the root and
the majority of TLDs being signed yet, there are big gaps in the chain
of trust up and down through the hierarchy. DLV and other TARs
seeks to bridge these chain-of-trust gaps by reference directly into the
DNS delegation tree. While it _can_ do this for leaf-nodes, the biggest
wins are of course for references into whole sub-trees.

> The last part is not resolvable. I guess other ISPs will refrain also
>  from using dlv (or DNSSEC if the same policy applies), because 
> there's no way we will contact all our customers to let them sign a 
> paper that we will use DNSSEC for their zones.

In the longer term, what policies apply and how much paperwork is
required will depend on the individual TLD. DLV is only ever intended as
a bootstrap mechanism until the root and TLDs are signed, at which point
we'll be very happy to retire it as a success victim :-) It is fully
understood that a DLV-style TAR approach is not as scalable as something
that builds on the DNS's in-built hierarchy - it is primarily targetted
at early adopters, and in particular TLD operators who for whom one
paperwork transaction delegates large chunks of the out-of-band
validation exercise to that TLD's jurisdiction.

> Sorry for the long letter, but I guess lots of other ISPs will have 
> the same problem. The fact that we run DNS for our customers should 
> be enough to ensure that we "are authorised by the domain holder to 
> request the inclusion of the keys in the zone". That is, if you want 
> DNSSEC/dlv to get widely used by ISPs.

We're in the difficult bootstrap phase of a crucial new technology,
where it is hard work to adopt, and until critical mass is achieved the
benefits are slow to build. This is to some extent unavoidable, but ISC
has been keeping the DNSSEC faith for many years now, and while DLV and
other TARs are by no means fully sufficient to make full DNSSEC
deployment happen, are we believe a necessary (and interim) step along
the way to make it easier.

> Maybe this question should go to ISC directly, but my understanding 
> is there are enough people on this list to discuss it here. If I'm 
> wrong, my apologies, I will contact ISC directly.

Speaking for ISC, I hope this addresses your questions.

Keith