wrt joao damas' DLV talk on wednesday
Edward Lewis
Ed.Lewis at neustar.biz
Tue Jun 13 19:58:18 UTC 2006
At 11:37 -0700 6/13/06, Randy Bush wrote:
>can you say "does not scale?" or how about "works poorly when a
>zone is transferred?"
There are two ways to look at "scaling". Scaling in volume and
scaling across generations. DLV definitely does not scale across
generations with such a person-to-person protocol backing it up. But
if it's just a bootstrap mechanism, then I think it's acceptable.
As far as volume scale, DLV puts more work onto whomever configures
DLV repository data in resolvers. A DLV per TLD might lower the work
for the TLD, and possibly remove the need to develop NSEC3 and
opt-in. (As DLV only lists the DNSSEC'd zones.)
>i think there is no question that you and isc mean well. but we've
>entered the the twisty passages of security.
DLV at least lets those who are able and willing to take the risk to
gain first hand experience. If the ISC DLV runs for 5 years without
an incident, even with the non-scalable approach as documented, it'll
be seen as a winner. The longer it runs without incident, the more
trustworthy it'll (appear to) be, right up until the point that it no
longer scales. If there's an incident, then it won't be trusted but
we will probably learn from the experience. Hopefully the lesson
will come cheap.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Nothin' more exciting than going to the printer to watch the toner drain...
More information about the NANOG
mailing list