[dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care?
bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Sat Oct 25 20:46:46 CEST 2008
On Sat, Oct 25, 2008 at 01:53:48PM -0400, Paul Wouters wrote: > Interesting conclusion. See, the way I understood it from Paul, is that > it was not *meant* to scale, as it was an interim solution until not > only the root, but large zones as .com got signed properly. > > Paul this is one of theproblems I have w/ DLV. Either its useful until the entire tree is signed/linked or there is some undefined threshhold where its "good enough" and the operator castrates all the small fry who were depending on it working. it was never clear when/where the threashold was for DLV, just that when in ISC judgement, things were "good enough" they would turn it off. which argues for caching your security tokens in multiple places, esp when you may not have a business relationship w/ the key holder. Of course ISC could turn DLV into a profit center by charging for key mgmt. (profit might be a poor term - how about cost recovery?) end of the day, the trust chain ends @ ISC not IANA. This might not be a bad thing. Trading one not-for-profit California corporation for another one... but is that -really- what the Internet wants? --bill
[ dns-wg Archives ]