to DLV or not

• Previous message (by thread): Day tickets
• Next message (by thread): Working on a long-term ipv6 multihoming solution
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My background and position on this is best summed up as one of the 
early implementers of DNSSEC and now working for a gTLD/ccTLD 
registry.  In between I spent a lot of time developing, redeveloping 
DNSSEC in the face of operational realities.  (To those who are 
critics of DNSSEC, I ask forgiveness for my wasted middle-age.)

DLV is a concept that someone somewhere in the past few years came up 
with to put needed DNSSEC data in a special location.  Although DLV 
per se is novel in the development of DNSSEC, it is well in-line with 
the earliest intentions of the protocol dreamers.

The original DNSSEC design was to allow any resolver (client) to 
decide how it would collect the needed records to substantiate an 
answer.  In the mid to late 90's we tried to figure out how to first 
express a policy and then come up with something that could take the 
policy and direct the operation of a DNS validator (the thing that 
gives a thumbs up or down to an answer after checking the DNSSEC 
stuff).  We punted, resulting in RFC 3008, which said that the only 
"common" policy was to follow the tree, i.e., root signs tlds, tlds, 
sign down, etc.  A few years later, a project called FMESHD to reopen 
the policy to be more general.  Again, the problem proved too big to 
solve.

Why DLV is different from these two failures is that we had been 
trying to solve the general case without a validator in hand.  (We 
did have validators, but nothing that was integrated with a real name 
server.)  DLV is starting from an implementation and is a pragmatic 
attack on the problem.  DLV is not as general as the original idea, 
but wider than RFC 3008.

The main concern with DLV is that is it not scaleable.  That's 
inherent in the problem so I am not surprised.  The tradeoff is that 
you can go "off the tree" but at the cost of "knowing where you are 
going off the tree."

Some folks feel that DLV will compete with TLD registries and delay 
their interest.  Or maybe, for the same reason, spur their interest. 
My opinion is neither, DLV is orthogonal to the TLDs.  DLV may be a 
good measure of interest in DNSSEC though.  Either there will be no 
interest, a quick spike in interest, or a sustained growth.  My guess 
is the middle option - a lot of early registrations and then slow 
growth.  If that's the case, scaling isn't the concern and it won't 
spur the registries to add DNSSEC.

So, ISC's DLV operation?  The developers of BIND are free to 
distribute code with a validation policy that looks up data in their 
DLV.  If all works, then all is good.  If it's a disaster, ISC's DLV 
will cease and the code will cease to have the feature.  "Let the 
market decide."  I don't think that what the pro-s and anti-s *think* 
matters as much as having tangible data on what *happened*.

If the techies still rule the Internet, something like DLV ought to 
be given a try.  Show off a technical solution and use that as an 
example of the way forward.  We've been stalling long enough trying 
to move policy makers to sign the root zone.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Nothin' more exciting than going to the printer to watch the toner drain...

• Previous message (by thread): Day tickets
• Next message (by thread): Working on a long-term ipv6 multihoming solution
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]