Re: [DNSOP] DNSSEC localized validation
Evan Hunt <each@isc.org> Tue, 10 April 2018 16:09 UTC
Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19BB612D80E for <dnsop@ietfa.amsl.com>; Tue, 10 Apr 2018 09:09:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZJJe6o6yK1Xz for <dnsop@ietfa.amsl.com>; Tue, 10 Apr 2018 09:09:16 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75F2112D7F0 for <dnsop@ietf.org>; Tue, 10 Apr 2018 09:09:16 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 299B43AB05B; Tue, 10 Apr 2018 16:09:14 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 12FA1216C1C; Tue, 10 Apr 2018 16:09:14 +0000 (UTC)
Date: Tue, 10 Apr 2018 16:09:14 +0000
From: Evan Hunt <each@isc.org>
To: Tony Finch <dot@dotat.at>
Cc: dnsop@ietf.org
Message-ID: <20180410160913.GA94763@isc.org>
References: <alpine.DEB.2.11.1804101114370.27682@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.11.1804101114370.27682@grey.csi.cam.ac.uk>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/N_GF2RiKv9U_jY9HN4xTJ5gdrn8>
Subject: Re: [DNSOP] DNSSEC localized validation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 16:09:18 -0000
On Tue, Apr 10, 2018 at 11:32:18AM +0100, Tony Finch wrote: > Before the root zone was signed, [isc.org](https://www.isc.org) > created a mechanism called "DNSSEC lookaside validation", which > allowed "islands of trust" to publish their trust anchors in a special > `dlv.isc.org` zone, in a way that made it easy for third parties to use > them. To be clear, the zone didn't have to be dlv.isc.org. That was the DLV zone ISC provided, and there was a configuration short cut to make it easy to use, but it's always been possible to configure BIND to use a different DLV zone, including a local one. > Now that the root is signed and support for DNSSEC is widespread, DLV > has been decommissioned. But if we tweak it a bit, maybe it will gain > a new lease of life...? To be pedantic again, dlv.isc.org is decommissioned. DLV the protocol is still alive and well (for now). However... > I mentioned my localized DLV idea to Evan Hunt at IETF 101. I feared he > would think it is too horrible to contemplate :-) but in fact he thought > the use case is quite reasonable. I must confess I don't remember the conversation clearly (I may have been a jetlag zombie at the time), but I hope I warned you that in the interest of reducing code complexity, we've been talking about refactoring the BIND validator and stripping out the DLV code in a future release. Use cases like the one you're describing are the reason we've been uncertain about whether to proceed with that. I'd been assuming such use cases would be vanishingly rare. I may have been mistaken about that. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.
- [DNSOP] DNSSEC localized validation Tony Finch
- Re: [DNSOP] DNSSEC localized validation Evan Hunt