recursive lookups for UNSECURE names fail if is unreachable and dnssec-lookaside is 'auto'

Timothe Litt litt at
Thu Aug 28 17:55:57 UTC 2014

On 27-Aug-14 20:35, Doug Barton wrote:
> On 8/27/14 3:03 PM, Timothe Litt wrote:
>> So you really meant that validating resolvers should only consult DLV if
>> their administrator knows that users are looking-up names that are in
>> the DLV?  That's how I read your advice.
> You're correct.
>> I don't see how that can work; hence we'll disagree.  I think the only
>> viable strategy for*resolvers*  is to consult the DLV - as long as it
>> exists.
> So that leads to a Catch-22, as ISC has stated that they will continue
> to provide the DLV as long as it is used. You're saying that people
> should continue to consult it as long as it exists.
> Now that the root is signed the traditional argument against continued
> indiscriminate use of the DLV is that it makes it easier for
> registries, service providers, etc. to give DNSSEC a low priority.
> "You don't need me to provide DNSSEC for you, you can use the DLV."
> Based on my experience I think there is a lot of validity to that
> argument, although I personally don't think it's persuasive on its own.
I don't want to see indiscriminate use of the DLV.  See below.
> While I appreciate the tone of reasoned discourse in the message I'm
> responding to, what you have done is provide additional details to
> support your thesis that changing providers is hard. I'm not arguing
> the contrary position, so we can agree to agree on that. What you
> haven't done is provide any evidence to refute my thesis that "It's
> hard" != "It's impossible." I'll even go so far as to agree with you
> that in some cases it's really, really hard.
For me, it's impossible.  I've stated why.  I am a very small player - I
run a network for my extended (multi-state) family, and some free
services for a few hundred former colleagues.  I considered the options
that you suggested - they are not practical, affordable or both.  No ISP
in my geography will provide DNSSEC for reverse DNS.  I have asked (in
dnssec-deployment) for help in pressuring the ISPs to solve this
problem.  Comcast (which is not in my geography) has acknowledged the
issue, and has "had it on their list" for several years.  None of the
others have gone even that far. 

> What that leaves us with is your position (which I will state in an
> admittedly uncharitable way), "Some of us would like to have the
> benefits of protecting our authoritative data with DNSSEC without
> having to endure the cost and inconvenience of migrating our resources
> to providers that support it. Therefore the entire Internet should use
> the DLV." In contrast, my position is that people and/or organizations
> which need the protection of DNSSEC should vote with their feet. In
> this way providers that offer DNSSEC will be rewarded, and those that
> do not will be punished. 
I would vote with my feet if I could.  I can't.  The problem with your
market driven approach is that ISPs are largely unregulated monopolies. 
At least, for those of us who are based in residences/small businesses. 
I'm fortunate to have 2 cables pass my house - fiber and cable TV.  
Only the fiber provider has enough outbound bandwidth for site-site
backup, which I get for $<low 3 figures>/mo.  The cable TV-based
provider says 'yes since you have business class service (static IPs),
we will provide a fiber to your premises.  First, there's the
engineering study for $<5 figures>, then a construction fee, then %<4
figures>/month...unless you want serious bandwidth, in whch case it's
more." So there's no competition.  Neither cares about DNSSEC.  Neither
is required to care by regulation, RFC, ICANN/IANA or organized
community pressure.

The answer is different when you're an enterprise with a large budget. 
I've been there.  "Let us consolidate your voice & data networks; sure,
we'll eat the engineering costs of switching you to a few OC-48 fibers;
saves us money  maintaining all those copper wires.  You want a couple
of dark fibers, and a couple of hundred PI IP addresses routed - no
problem.  Switch your phone system to VoIP too?  Oh, you got a quote
from them,  including running new fiber from the highway to your plant
for free?  Let me re-work our numbers.  Can we shine your shoes?"  When
you pay several $100K/mo for bandwidth per site, it's amazing how
responsive vendors can be.  So your approach works for some, according
to the golden rule (she who has the gold, makes the rules.)

> Completely aside from what I believe to be the absurdity of your
> argument, the position I suggest will almost certainly result in
> market forces which encourage the deployment of DNSSEC. At bare
> minimum it has the moral value of rewarding providers who have done
> the right thing.
I don't think it's absurd to note that people in my position - and there
are a lot of us - are forced to use DLV for some cases.  The most
prominent is reverse DNS.  We *can't* switch providers.  We *can't* get
IP addresses from other sources (and get them routed) without literally
going bankrupt.

Since no one can predict what names a validating resolver will be asked
for, resolvers should check DLV.  That rewards those of us who sign our
domains any way we can.

That's separate from "when should DLV be used".  Before the root was
signed, I used DLV for my forward domains.  As my TLDs were signed, I
asked my registrars to accept my DS records; switched registrars (and
told them why) when they did not.  So I did my (small) part by using the
market where I could.

I want only the minimum number of entries in the DLV, and I want the
requirements for those entries to go away.  The registry agreements for
the new TLDs all require DNSSEC support; that's a good thing.  That we
can't get the same for, is frustrating.

I'm also on record saying that it would be reasonable for ISC to ask
those with DLV entries that can also be reached thru a trusted path from
the root to consider removing them.  (I don't say force removal, because
there are some rare circumstances where DLV is used to override a bogus
root path.)

So I'm in favor of pressure to reduce DLV entries to the bare minimum. 
And I'm in favor of market pressure where possible, and
community/regulatory pressure to eliminate the need for DLV entries. 

That's not an instant fix, but it's not catch-22.  Eventually it ought
to be possible to empty DLV.  And after it's empty (or nearly so), it
can go away.

> I realize that it's unpopular to state some of these ideas in such a
> direct way, and I hope no one is offended by one person's opinion. I
> also realize that those who wish to receive the benefits of DNSSEC
> without enduring the aforementioned costs will not like my argument. I
> can't help you there. :)
Aside from the use of the word 'absurdity', I'm not offended.  I am
trying to educate.  And while I recognize that I'm arguing pragmatism
with a market purist, hopefully the OP (and others) will learn why some
of us have a slightly different view of how to get to the end goal.  And
why my advice for resolvers is 'check DLV', while my advice for domain
owners is 'take reasonable steps to stay/get out of DLV, but use it if
you *must*'.

We're actually not that far apart...

> Doug

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5159 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the bind-users mailing list