North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: wrt joao damas' DLV talk on wednesday
- From: Edward Lewis
- Date: Tue Jun 13 15:59:34 2006
At 11:37 -0700 6/13/06, Randy Bush wrote:
There are two ways to look at "scaling". Scaling in volume and
scaling across generations. DLV definitely does not scale across
generations with such a person-to-person protocol backing it up. But
if it's just a bootstrap mechanism, then I think it's acceptable.
can you say "does not scale?" or how about "works poorly when a
zone is transferred?"
As far as volume scale, DLV puts more work onto whomever configures
DLV repository data in resolvers. A DLV per TLD might lower the work
for the TLD, and possibly remove the need to develop NSEC3 and
opt-in. (As DLV only lists the DNSSEC'd zones.)
DLV at least lets those who are able and willing to take the risk to
gain first hand experience. If the ISC DLV runs for 5 years without
an incident, even with the non-scalable approach as documented, it'll
be seen as a winner. The longer it runs without incident, the more
trustworthy it'll (appear to) be, right up until the point that it no
longer scales. If there's an incident, then it won't be trusted but
we will probably learn from the experience. Hopefully the lesson
will come cheap.
i think there is no question that you and isc mean well. but we've
entered the the twisty passages of security.
Edward Lewis +1-571-434-5468
Nothin' more exciting than going to the printer to watch the toner drain...