[dns-operations] Question to DNSSEC and DLV policy

Mark Andrews Mark_Andrews at isc.org
Mon Mar 23 13:40:59 UTC 2009

In message <200903230826.19155 at zmi.at>, Michael Monnerie writes:
> On Montag 23 M=E4rz 2009 Paul Vixie wrote:
> > there is precious little benefit to being the first to speak a wide
> > area protocol. =A0that was true of IPv6
> Here in Austria, still it *is* true. I don't know any ISP who would give=20
> you IPv6 addresses. I'd like to test it, but can't. I know there are=20
> IPv6-to-IPv4 services, but I'd like to be native. Well, I believe if you=20
> have real services you'd still need both IPv4 and IPv6 on that server.
> > if you deploy DNSSEC and DLV today you will become immune to several
> > kinds of known wire-level poisoning for others who've deployed DNSSEC
> > and DLV.
> >
> > but more importantly you will form an installed base that will
> > attract others who need more motivation than you needed.
> Yes, like I said it's cool. And I'd like to implement and test it. Just=20
> need to wait until named is patched with openSUSE.

	Well the first version of named that supported DNSSEC RFC4034
	was BIND 9.3.0 (September 2004 even though the RFC took
	till March 2005 to be published).  The first version which
	support the DLV record type was BIND 9.3.3 (January 2007,
	DLV itself using a private type was supported in BIND 9.3.0).
	BIND 9.3 is already end-of-lifed.

	So is openSUSE still using BIND 9.2.x and pre-RFC4034 DNSSEC?


> mfg zmi
> =2D-=20
> // Michael Monnerie, Ing.BSc    -----      http://it-management.at
> // Tel: 0660 / 415 65 31                      .network.your.ideas.
> // PGP Key:         "curl -s http://zmi.at/zmi.asc | gpg --import"
> // Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
> // Keyserver: wwwkeys.eu.pgp.net                  Key-ID: 1C1209B4
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list