[dns-operations] Question to DNSSEC and DLV policy

Paul Vixie vixie at isc.org
Fri Mar 20 00:53:01 UTC 2009


> From: David Conrad <drc at virtualized.org>
> Date: Thu, 19 Mar 2009 17:08:36 -0700
> ...
> ISC's DLV is actually two things:
> 
> - a non-standard protocol modification (see RFC 4431 for something like
> ISC's DLV, but not actually ISC's DLV.  I guess ISC's DLV is documented
> in http://ftp.isc.org/isc/pubs/tn/isc-tn-2006-1.txt, but folks from ISC
> would be more authoritative (pun intended)).  DLV is implemented in very
> recent version of BIND and (I gather) Unbound.
> - a repository of trust anchors either provided by administrators of the
> zone (however that is established) or obtained from places like IANA's
> ITAR.

right.  history: DLV was first proposed to me by david conrad (then of
internet engines, previously of ISC, and subsequently/now of ICANN.)

> One other major point of difference is that since the trust anchors are
> configured directly in the caching name server, the use of IANA's ITAR
> and RIPE-NCC's TAR do not require queries to ISC's infrastructure during
> validation.  The implication of this is that ISC's DLV is more dynamic
> but also requires caching name server operators to accept (some)
> additional latency and the need to trust additional external
> infrastructure.

the number of extra queries (and therefore additional latency) is kept low
by suppressing DLV queries that fall within previously cached validated NSEC
ranges.  history: this optimization was the idea of sam weiler.



More information about the dns-operations mailing list