On Tue, Apr 10, 2018 at 11:32:18AM +0100, Tony Finch wrote:
> Before the root zone was signed, [isc.org](https://www.isc.org)
> created a mechanism called "DNSSEC lookaside validation", which
> allowed "islands of trust" to publish their trust anchors in a special
> `dlv.isc.org` zone, in a way that made it easy for third parties to use
> them.

To be clear, the zone didn't have to be dlv.isc.org. That was the DLV zone
ISC provided, and there was a configuration short cut to make it easy to
use, but it's always been possible to configure BIND to use a different
DLV zone, including a local one.

> Now that the root is signed and support for DNSSEC is widespread, DLV
> has been decommissioned. But if we tweak it a bit, maybe it will gain
> a new lease of life...?

To be pedantic again, dlv.isc.org is decommissioned. DLV the protocol
is still alive and well (for now). However...

> I mentioned my localized DLV idea to Evan Hunt at IETF 101. I feared he
> would think it is too horrible to contemplate :-) but in fact he thought
> the use case is quite reasonable.

I must confess I don't remember the conversation clearly (I may have been a
jetlag zombie at the time), but I hope I warned you that in the interest of
reducing code complexity, we've been talking about refactoring the BIND
validator and stripping out the DLV code in a future release.

Use cases like the one you're describing are the reason we've been
uncertain about whether to proceed with that. I'd been assuming such use
cases would be vanishingly rare. I may have been mistaken about that.

Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.

DNSOP mailing list

Reply via email to