recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'
Doug Barton
dougb at dougbarton.us
Wed Aug 27 18:54:50 UTC 2014
On 8/26/14 10:35 AM, Timothe Litt wrote:
> I think this is misleading, or at least poorly worded and subject to
> misinterpretation.
I chose my words carefully, and I stand by them.
I did not say that the DLV has no value, and I specifically mentioned
that there are circumstances when it is valuable and should be used. You
clearly have a different view, which is fine.
When it comes to gTLDs, I completely reject the notion that users cannot
change registrars. It can be hard, no doubt, but it's a cost/benefit
analysis. If the benefit of DNSSEC outweighs the difficulty of moving,
then it's worth it. If not, it's not. The fact that it's hard doesn't
mean it's impossible.
That said, I do recognize that there are situations where a chain of
trust to the root is not possible (such as some reverse zones). Again,
this becomes a cost/benefit analysis. For reverse zones if DNSSEC is
important it may be worth the effort of changing providers, or even
getting a PI assignment. For TLDs where DNSSEC is not yet available, a
change may be in order. If enough people vote with their feet in this
way those providers and TLDs that lose customers may reconsider their
offerings.
No one said it would be easy. :)
Doug
More information about the bind-users
mailing list