[dns-operations] Question to DNSSEC and DLV policy

Ralf Weber denic at eng.colt.net
Thu Mar 19 18:17:57 UTC 2009


On 19.03.2009, at 17:51, Michael Monnerie wrote:
>> That is correct, but to have validation the resolver also would also
>> have to be DLV enabled. I wouldn't use the shortcut and instead use
>> a TLD that had DNSSEC for some time (.se).
> The resolver just needs to have the key of dlv trusted, if I'm right.
That's correct for DLV yes.

> And I guess the same goes for ITAR, while NCC would work "out of the
> box", right?
Both the ITAR and RIPE NCC publish a set of keys that you have to
configure in your resolvers. The big difference is that DLV does
a lookup for every query that you get to check if there is a key
registered. Whereas with manual trust anchors, the resolver will
just check if it has a key for the domain manually configured in.

>> From the 2nd sentence: You mean I should register a .se zone just to
> have DNSSEC? I want DNSSEC for zmi.at and others, so .se can't help  
> me.
> Or did I understand you wrong?
No that's what I meant. Obviously working for an pan european provider
I might be a bit more open to what TLD to register with. The thing is
if you want to secure your zone with DNSSEC the reasoning behind that
for me is that most resolvers should be able to validate my records.
If I use e.g colt.net and put it into DLV, only people that use DLV
can validate my records. If I use coltnet.se, people who configure
.se manually, as well as ITAR users, as well as DLV users can validate
my records. The audience is bigger. I do understand however that
there are valid reasons to secure domains in TLD space that has not
been secured.

So long
Ralf Weber
Platform Infrastructure Manager
Colt Telecom GmbH
Herriotstrasse 4
60528 Frankfurt
DDI: +49 (0)69 56606 2780 Internal OneDial: 8 491 2780
Fax: +49 (0)69 56606 6280
Email: rw at colt.net
Data | Voice | Managed Services

Schütze Deine Umwelt | Erst denken, dann drucken

COLT Telecom GmbH, Herriotstraße 4, 60528 Frankfurt/Main, Deutschland  
* Tel +49 (0)69 56606 0 * Fax +49 (0)69 56606 2222 *

Geschäftsführer: Dr. Jürgen Hernichel (Vors.), Rita Thies *  
Amtsgericht Frankfurt/Main HRB 46123 * USt.-IdNr. DE 197 498 400

More information about the dns-operations mailing list