[dns-operations] dlv.isc.org "full production" [was: Re: Statement: Issues using BIND 9.4 & 9.5 with DLV and certain DNSSEC-signed zones]

[Michael Graff]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Thompson wrote:
> Could we have some exegesis on the difference between "limited production"
> versus "full production" here? Specifically, what are ISC going to do to
> reassure early DNSSEC-adopters using dlv.isc.org as their primary trust
> anchor on the operational robustness of that setup?

Some amount of that is market-speak.  the dlv.isc.org zone itself has
been in full production (that is, serving up real live data) for a
rather long time now.

The web interface is in "limited production" since it is its first
release to the public.  It was tested before release, and after release
a fairly small number of issues were quickly fixed.  To be "full
production" to me at least means a number of things need to occur
internally to ISC.  Right now, we are very carefully monitoring the data
going into the zone before publication.  While we won't stop monitoring
it, it will not require a human to OK it before publication once "full
production" is achieved.

Perhaps the terms are a little confusing as it implies that we cannot
handle the load, or a large number of zones, etc.  We can, and we can.
However, we are also babysitting this thing closely.  We know DLV is a
security tool, and thus are careful to ensure that we don't make a
mistake here.

- -Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknFeoIACgkQLdqv0r6eD6bWVgCeOHejXTFs1GOCMKQ5BvvYJxZw
gWEAn04G8OcdDAblPTlTCZ5WPFD08wGi
=MWjb
-----END PGP SIGNATURE-----