On Tue, Apr 10, 2018 at 11:32:18AM +0100, Tony Finch wrote: > Before the root zone was signed, [isc.org](https://www.isc.org) > created a mechanism called "DNSSEC lookaside validation", which > allowed "islands of trust" to publish their trust anchors in a special > `dlv.isc.org` zone, in a way that made it easy for third parties to use > them.
To be clear, the zone didn't have to be dlv.isc.org. That was the DLV zone ISC provided, and there was a configuration short cut to make it easy to use, but it's always been possible to configure BIND to use a different DLV zone, including a local one. > Now that the root is signed and support for DNSSEC is widespread, DLV > has been decommissioned. But if we tweak it a bit, maybe it will gain > a new lease of life...? To be pedantic again, dlv.isc.org is decommissioned. DLV the protocol is still alive and well (for now). However... > I mentioned my localized DLV idea to Evan Hunt at IETF 101. I feared he > would think it is too horrible to contemplate :-) but in fact he thought > the use case is quite reasonable. I must confess I don't remember the conversation clearly (I may have been a jetlag zombie at the time), but I hope I warned you that in the interest of reducing code complexity, we've been talking about refactoring the BIND validator and stripping out the DLV code in a future release. Use cases like the one you're describing are the reason we've been uncertain about whether to proceed with that. I'd been assuming such use cases would be vanishingly rare. I may have been mistaken about that. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop