to DLV or not
Edward Lewis
Ed.Lewis at neustar.biz
Mon Jun 12 17:33:30 UTC 2006
My background and position on this is best summed up as one of the
early implementers of DNSSEC and now working for a gTLD/ccTLD
registry. In between I spent a lot of time developing, redeveloping
DNSSEC in the face of operational realities. (To those who are
critics of DNSSEC, I ask forgiveness for my wasted middle-age.)
DLV is a concept that someone somewhere in the past few years came up
with to put needed DNSSEC data in a special location. Although DLV
per se is novel in the development of DNSSEC, it is well in-line with
the earliest intentions of the protocol dreamers.
The original DNSSEC design was to allow any resolver (client) to
decide how it would collect the needed records to substantiate an
answer. In the mid to late 90's we tried to figure out how to first
express a policy and then come up with something that could take the
policy and direct the operation of a DNS validator (the thing that
gives a thumbs up or down to an answer after checking the DNSSEC
stuff). We punted, resulting in RFC 3008, which said that the only
"common" policy was to follow the tree, i.e., root signs tlds, tlds,
sign down, etc. A few years later, a project called FMESHD to reopen
the policy to be more general. Again, the problem proved too big to
solve.
Why DLV is different from these two failures is that we had been
trying to solve the general case without a validator in hand. (We
did have validators, but nothing that was integrated with a real name
server.) DLV is starting from an implementation and is a pragmatic
attack on the problem. DLV is not as general as the original idea,
but wider than RFC 3008.
The main concern with DLV is that is it not scaleable. That's
inherent in the problem so I am not surprised. The tradeoff is that
you can go "off the tree" but at the cost of "knowing where you are
going off the tree."
Some folks feel that DLV will compete with TLD registries and delay
their interest. Or maybe, for the same reason, spur their interest.
My opinion is neither, DLV is orthogonal to the TLDs. DLV may be a
good measure of interest in DNSSEC though. Either there will be no
interest, a quick spike in interest, or a sustained growth. My guess
is the middle option - a lot of early registrations and then slow
growth. If that's the case, scaling isn't the concern and it won't
spur the registries to add DNSSEC.
So, ISC's DLV operation? The developers of BIND are free to
distribute code with a validation policy that looks up data in their
DLV. If all works, then all is good. If it's a disaster, ISC's DLV
will cease and the code will cease to have the feature. "Let the
market decide." I don't think that what the pro-s and anti-s *think*
matters as much as having tangible data on what *happened*.
If the techies still rule the Internet, something like DLV ought to
be given a try. Show off a technical solution and use that as an
example of the way forward. We've been stalling long enough trying
to move policy makers to sign the root zone.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Nothin' more exciting than going to the printer to watch the toner drain...
More information about the NANOG
mailing list