[dns-operations] Hall of DNS Shame (?)

Merike Kaeo merike at fsi.io
Wed Jan 25 21:26:01 UTC 2017 

> On Jan 25, 2017, at 12:35 PM, Matt Larson <matt at kahlerlarson.org> wrote:
> 
>>> On Jan 24, 2017, at 8:38 PM, Paul Vixie <vixie at tisf.net <mailto:vixie at tisf.net>> wrote:
>>> 
>>> On Tuesday, January 24, 2017 5:11:25 PM PST Jim Reid wrote:
>>> > I suggest adding ISC to this hall of shame for implementing and deploying DLV. :-)
>>> 
>>> if you think the root or .com would ever have been signed without the threat of dlv, then can i interest you in this fine bridge, which while you can't take it home with you, can be yours for the low low price of a nickel.
>>> 
>>> no :-) here.
>>> 
>>> --
>>> P. Vixie
>> 
> 
>> On Jan 25, 2017, at 6:56 AM, David Conrad <drc at virtualized.org <mailto:drc at virtualized.org>> wrote:
>> 
>> Yes, it would have, at least for the root.
>> 
>> In all the discussions I had with various folks about signing the root within ICANN, there was no mention of DLV that I can recall (and I was somewhat sensitive to the topic).
>> 
>> What caused the root to be signed was the Kaminsky vulnerability.
>> 
>> I obviously can't speak for .COM.
> 
> I worked at Verisign for a very long time, including when .com was signed.  While I obviously can't speak for them now, either, I suspect that if you were to ask anyone who was there at the time, their answer would be that DLV was not at all a factor in the decision to sign .com.

The original comment (with a smiley at end) was " I suggest adding ISC to this hall of shame for implementing and deploying DLV. :-) “

The only data point I know of is that the folks at the .ee ccTLD found dlv useful when it was testing DNSSEC in its environment.  They gave a presentation at ICANN 49 in Singapore and it’s on a slide when they discussed all the testing they did.  Use favorite search engine and enter “ICANN DLV Estonia” and for me the presentation pdf was first in search list.  I recall at the time there were some of the folks in this thread in the room and they conceded that dlv had some use.

Me?  I never looked at dlv or played with it, but clearly it was useful to some.  I was just happy .ee was using DNSSEC (and had encouraged them to present re their practical experiences to encourage other smaller entities to do so as well)

- merike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170125/3d7ae331/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170125/3d7ae331/attachment.sig>

More information about the dns-operations mailing list