A Deep Dive on the Recent Widespread DNS Hijacking
Tony Finch
dot at dotat.at
Mon Feb 25 11:42:01 UTC 2019
Mark Andrews <marka at isc.org> wrote:
>
> An organisation can also deploy DLV for their own zones using their own
> registry. While the current code DLV validating code is only invoked
> when the response validates as insecure, there is nothing preventing a
> policy which says that DLV trumps or must also validate for entries in a
> registry. At this stage is would be a minor code change to add such
> policy knobs. DLV is a just a in-band way of distributing trust
> anchors.
Yes (as Mark knows) I would like to be able to use DLV in this enterprisey
way. It should also help validators to continue working for local domains
when external connectivity is funted.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
East Sole, Lundy, Fastnet, Irish Sea: Southeasterly 4 or 5. Rough or very
rough, but slight or moderate in Irish Sea. Mainly fair. Good, occasionally
poor.
More information about the NANOG
mailing list