On 12 Jan 2015, at 16:42, James B. Byrne <byrn...@harte-lyne.ca> wrote:
>> The DANE Validator <https://dane.sys4.de> is intended to identify >> configuration errors and to help administrators create working DANE >> SMTP configurations. > > This validator specifically declares DLV trust rooted sites as DNSSEC > insecure. Is this correct? If they say so, then yes. Nobody is compelled to use DLV. Or trust it. For some definition of trust. Nobody is obliged to configure their validating resolvers to rely on DLV as yet another trust anchor. This is a Good Thing. By default, DLV is switched off in both BIND and unbound. So it rarely gets used. This is a Good Thing too. Presumably the above validator is not using DLV and therefore doesn't/can't validate any DNS data which might be found there => such data get considered to be insecure. Their validator, their rules. > Has DLV been formally deprecated? No. However ISC is muttering about killing it: no official announcement yet though. > Is dlv.isc.org not considered trusted? That's a local policy decision for anyone doing DNSSEC validation. Just as it's up to the local DNS administrator to trust any other DNSSEC key (including the root's - which should be the only key to trust). IMO anyone using DLV is asking for trouble. Anyone depositing keying material there is at best naive because only those who are already drinking the DLV kool-aid will be likely to have switched on DLV-flavour validation. That's inevitably going to be an insignificant percentage of the people who have signed their zones or are have turned on DNSSEC validation. Just because User A has shoved their zones into DLV doesn't mean User B will ever use that for validation if/when B turns on DNSSEC validation. Which seems to be borne out by your experiences above.
