recursive lookups for UNSECURE names fail if is unreachable and dnssec-lookaside is 'auto'

Doug Barton dougb at
Thu Aug 28 00:35:49 UTC 2014

On 8/27/14 3:03 PM, Timothe Litt wrote:
> So you really meant that validating resolvers should only consult DLV if
> their administrator knows that users are looking-up names that are in
> the DLV?  That's how I read your advice.

You're correct.

> I don't see how that can work; hence we'll disagree.  I think the only
> viable strategy for*resolvers*  is to consult the DLV - as long as it
> exists.

So that leads to a Catch-22, as ISC has stated that they will continue 
to provide the DLV as long as it is used. You're saying that people 
should continue to consult it as long as it exists.

Now that the root is signed the traditional argument against continued 
indiscriminate use of the DLV is that it makes it easier for registries, 
service providers, etc. to give DNSSEC a low priority. "You don't need 
me to provide DNSSEC for you, you can use the DLV." Based on my 
experience I think there is a lot of validity to that argument, although 
I personally don't think it's persuasive on its own.

While I appreciate the tone of reasoned discourse in the message I'm 
responding to, what you have done is provide additional details to 
support your thesis that changing providers is hard. I'm not arguing the 
contrary position, so we can agree to agree on that. What you haven't 
done is provide any evidence to refute my thesis that "It's hard" != 
"It's impossible." I'll even go so far as to agree with you that in some 
cases it's really, really hard.

What that leaves us with is your position (which I will state in an 
admittedly uncharitable way), "Some of us would like to have the 
benefits of protecting our authoritative data with DNSSEC without having 
to endure the cost and inconvenience of migrating our resources to 
providers that support it. Therefore the entire Internet should use the 
DLV." In contrast, my position is that people and/or organizations which 
need the protection of DNSSEC should vote with their feet. In this way 
providers that offer DNSSEC will be rewarded, and those that do not will 
be punished. Completely aside from what I believe to be the absurdity of 
your argument, the position I suggest will almost certainly result in 
market forces which encourage the deployment of DNSSEC. At bare minimum 
it has the moral value of rewarding providers who have done the right 

I realize that it's unpopular to state some of these ideas in such a 
direct way, and I hope no one is offended by one person's opinion. I 
also realize that those who wish to receive the benefits of DNSSEC 
without enduring the aforementioned costs will not like my argument. I 
can't help you there. :)


More information about the bind-users mailing list