[dns-operations] Question to DNSSEC and DLV policy

Michael Graff michael_graff at isc.org
Fri Mar 20 15:32:46 UTC 2009


iPhone top-post. Sorry.

Dlv relies on aggressive negative caching. After a fairly small number  
of queries the query load for dlv lookups drops off very fast.

--Michael


On Mar 19, 2009, at 13:17, Ralf Weber <denic at eng.colt.net> wrote:

> MoiN!
>
> On 19.03.2009, at 17:51, Michael Monnerie wrote:
>>> That is correct, but to have validation the resolver also would also
>>> have to be DLV enabled. I wouldn't use the shortcut and instead use
>>> a TLD that had DNSSEC for some time (.se).
>>
>> The resolver just needs to have the key of dlv trusted, if I'm right.
> That's correct for DLV yes.
>
>> And I guess the same goes for ITAR, while NCC would work "out of the
>> box", right?
> Both the ITAR and RIPE NCC publish a set of keys that you have to
> configure in your resolvers. The big difference is that DLV does
> a lookup for every query that you get to check if there is a key
> registered. Whereas with manual trust anchors, the resolver will
> just check if it has a key for the domain manually configured in.
>
>>> From the 2nd sentence: You mean I should register a .se zone just to
>> have DNSSEC? I want DNSSEC for zmi.at and others, so .se can't help  
>> me.
>> Or did I understand you wrong?
> No that's what I meant. Obviously working for an pan european provider
> I might be a bit more open to what TLD to register with. The thing is
> if you want to secure your zone with DNSSEC the reasoning behind that
> for me is that most resolvers should be able to validate my records.
> If I use e.g colt.net and put it into DLV, only people that use DLV
> can validate my records. If I use coltnet.se, people who configure
> .se manually, as well as ITAR users, as well as DLV users can validate
> my records. The audience is bigger. I do understand however that
> there are valid reasons to secure domains in TLD space that has not
> been secured.
>
> So long
> -Ralf
> ---
> Ralf Weber
> Platform Infrastructure Manager
> Colt Telecom GmbH
> Herriotstrasse 4
> 60528 Frankfurt
> Germany
> DDI: +49 (0)69 56606 2780 Internal OneDial: 8 491 2780
> Fax: +49 (0)69 56606 6280
> Email: rw at colt.net
> http://www.colt.net/
> Data | Voice | Managed Services
>
> Schütze Deine Umwelt | Erst denken, dann drucken
>
> *****************************************
> COLT Telecom GmbH, Herriotstraße 4, 60528 Frankfurt/Main, Deutschlan 
> d * Tel +49 (0)69 56606 0 * Fax +49 (0)69 56606 2222 *
>
> Geschäftsführer: Dr. Jürgen Hernichel (Vors.), Rita Thies *  
> Amtsgericht Frankfurt/Main HRB 46123 * USt.-IdNr. DE 197 498 400
>
>
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list