[dns-operations] dlv.isc.org "full production" [was: Re: Statement: Issues using BIND 9.4 & 9.5 with DLV and certain DNSSEC-signed zones]

Sat Mar 21 23:43:02 UTC 2009

On Sat, Mar 21, 2009 at 11:29:00PM +0000, Chris Thompson wrote:
> On Mar 20 2009, Keith Mitchell wrote:
> 
> >ISC announced a new user interface for DLV - DNSSEC Lookaside Validation
> >on March 11th. We have been running the DLV service in limited
> >production and will shortly be ready to move to full production.
> 
> Could we have some exegesis on the difference between "limited production"
> versus "full production" here? Specifically, what are ISC going to do to
> reassure early DNSSEC-adopters using dlv.isc.org as their primary trust
> anchor on the operational robustness of that setup?
> 
> -- 
> Chris Thompson               University of Cambridge Computing Service,
> Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
> Phone: +44 1223 334715       United Kingdom.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations


	well...  i might refer folks to some historical posts from
	Paul Vixie...  granted, he's not claiming direct responsibility
	for DLV, but he is president of ISC...  so his musings might
	carry a little weight.

	for example:

From: Paul Vixie <paul at vix.com>
To: nanog at merit.edu
Subject: wrt joao damas' DLV talk on wednesday
Date: Sun, 11 Jun 2006 06:50:05 +0000
Message-ID: <77813.1150008605 at sa.vix.com>

[lengthy diatribe elided]

(my concern is, DLV is an evolutionary dead end, a deployment
aid, and pissing away even more time and money on it seems like a waste of
time compared to finishing NSEC3, signing the root, y'know, important stuff.)


	---------------------

	with those kinds of statements, I would be very hesitant to 
	commit to DLV for anything other than as a sandbox experiment.
	

--bill