wrt joao damas' DLV talk on wednesday

Edward Lewis Ed.Lewis at neustar.biz
Tue Jun 13 19:58:18 UTC 2006


At 11:37 -0700 6/13/06, Randy Bush wrote:

>can you say "does not scale?"  or how about "works poorly when a
>zone is transferred?"

There are two ways to look at "scaling".  Scaling in volume and 
scaling across generations.  DLV definitely does not scale across 
generations with such a person-to-person protocol backing it up.  But 
if it's just a bootstrap mechanism, then I think it's acceptable.

As far as volume scale, DLV puts more work onto whomever configures 
DLV repository data in resolvers.  A DLV per TLD might lower the work 
for the TLD, and possibly remove the need to develop NSEC3 and 
opt-in.  (As DLV only lists the DNSSEC'd zones.)

>i think there is no question that you and isc mean well.  but we've
>entered the the twisty passages of security.

DLV at least lets those who are able and willing to take the risk to 
gain first hand experience.  If the ISC DLV runs for 5 years without 
an incident, even with the non-scalable approach as documented, it'll 
be seen as a winner.  The longer it runs without incident, the more 
trustworthy it'll (appear to) be, right up until the point that it no 
longer scales.  If there's an incident, then it won't be trusted but 
we will probably learn from the experience.  Hopefully the lesson 
will come cheap.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Nothin' more exciting than going to the printer to watch the toner drain...



More information about the NANOG mailing list