A Deep Dive on the Recent Widespread DNS Hijacking

Tony Finch dot at dotat.at
Mon Feb 25 11:42:01 UTC 2019

Mark Andrews <marka at isc.org> wrote:
> An organisation can also deploy DLV for their own zones using their own
> registry.  While the current code DLV validating code is only invoked
> when the response validates as insecure, there is nothing preventing a
> policy which says that DLV trumps or must also validate for entries in a
> registry.  At this stage is would be a minor code change to add such
> policy knobs.  DLV is a just a in-band way of distributing trust
> anchors.

Yes (as Mark knows) I would like to be able to use DLV in this enterprisey
way. It should also help validators to continue working for local domains
when external connectivity is funted.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
East Sole, Lundy, Fastnet, Irish Sea: Southeasterly 4 or 5. Rough or very
rough, but slight or moderate in Irish Sea. Mainly fair. Good, occasionally

More information about the NANOG mailing list