How sufficient is it to rely on dlv.isc.org?
Paul Vixie
vixie at isc.org
Tue Sep 23 15:57:20 UTC 2008
Chris Thompson <cet1 at hermes.cam.ac.uk> writes:
> When configuring a DNSSEC-aware resolver, what is a sensible set
> of trust anchors to start with, at the present time?
>
> The number of DLV records in dlv.isc.org is gradually increasing[*],
> and it has recently acquired one for a second TLD ("cz." in addition
> to "br."). But how much of the DNSSEC-aware namespace is actually
> covered this way? There are TLDs (e.g. "se." and "bg.") that are
> signed but do not appear in dlv.isc.org.
ISC won't scrape zones looking for keys. we have to receive them from
someone who can prove that they are that zone's proper keys. CZ and BR
have done this. SE and BG have not (yet?).
> Are there other (competing?) DLV zones? Or other usefui collections
> of trust anchors?
there are plenty. but the ones that are better populated, are scrapers,
thus the certitude of the keys and the intent of the keyholders aren't
deterministic.
> [*] How do I know? Well dlv.isc.org uses NSEC records and is therefore
> "enumerable" :-) 113 DLV records at the end of July, 163 today.
all of you, please sign your zones, and send us your keys.
--
Paul Vixie
More information about the bind-users
mailing list