[dns-operations] darkreading article on EDU signing

[Paul Vixie]

> Date: 11 Sep 2009 23:54:26 +0100
> From: Chris Thompson <cet1 at cam.ac.uk>
> 
> ... I wasn't saying that this was a problem with DLV, just that the
> current DLV setup was a way of exhibiting a problem that could become
> much more pervasive if there were lots of signed children of EDU.
> Problems caused by glue being out-of-step with the in-zone contents are
> reported often enough already: hosts used as nameservers are sometimes
> offering other services as well and are looked up directly.

i think it's interesting that without DLV we would not have learned a lot
of things until later.  so DLV may or may not be fulfilling its mission of
enabling early deployment of DNSSEC, depending on whether by "enable" and
"deployment" we mean finding out what's not working early enough that we
can still do something about it before we're in full production.

> Correspondence with Stephane Bortzmeyer, who was unable to reproduce
> the effect with unbound, reminds me that when this promotion-of-glue
> effect was last discussed on bind-users, Tatuya Jinmei told us that
> a future BIND version would disbelieve these "answers" from the GTLD
> servers because they lacked the "aa" flag. (There *are* servers out
> there which give such answers *with* the "aa" flag set, but not the
> *.gltd-servers.net ones.)

i've been doing this in my own personal hack resolver (not BIND based) for
a couple of years now, and it works fine.

> But Matt Larson's reassurance posted here on behalf of Verisign is
> very welcome.

yea, verily.