recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'
dougb at dougbarton.us
Thu Aug 28 18:51:35 UTC 2014
On 8/28/14 10:55 AM, Timothe Litt wrote:
> Aside from the use of the word 'absurdity', I'm not offended. I am
> trying to educate. And while I recognize that I'm arguing
> pragmatism with a market purist,
It's nice to be called "pure," in some context anyway. :) However as I
pointed out I'm not simply arguing market forces, I'm also arguing the
morality of rewarding those providers who do the right thing; and I'm
quite specifically arguing the anti-pragmatist perspective that voting
with your feet is important.
Chris, I purposely did not invoke the spectre of Jim Reid because I did
not agree with his violent opposition to the DLV when it was created.
But now that we're in the "signed root" phase of DNSSEC deployment I
think that argument has a lot more validity.
> hopefully the OP (and others) will
> learn why some of us have a slightly different view of how to get to
> the end goal.
I agree that illuminating the different points of view is valuable, and
I am happy to agree to disagree with you (and Chris Thompson) on this
> And why my advice for resolvers is 'check DLV', while my advice for
> domain owners is 'take reasonable steps to stay/get out of DLV, but
> use it if you *must*'.
> We're actually not that far apart...
... I'm sorry to say that we are still quite far apart on specifics
though. You continue to use the word "impossible" when what you mean is
"outside of the constraints I have created for myself." I was trying not
to devolve into a discussion of your specific situation, but one really
simple solution to your particular use case would be to move your stuff
to a colo facility where they provide proper reverse DNS, signed
delegations, etc. There are a world of other options, but you have
designated a set of parameters within which you wish to operate, and a
provider that does DNSSEC is outside of your parameters. That doesn't
make it "impossible," that makes it "something you're not willing to do."
Chris' message was an excellent example of his particular value of
"really, really hard," but even he points out that it's not the same as
"impossible." His organization has done the cost/benefit analysis and
determined that having a DNSSEC chain from the root for their reverse
delegations is not worth the cost of moving away from JANET. I don't
know the politics anywhere near as well as Chris does, but I know them
well enough to know that his organization is probably correct in their
analysis. In any case, their network, their rules. I have no problem
And I want to reiterate one last time that I'm NOT saying that no one
should use the DLV, or that no one should put new entries into it. If
you or Chris have people that need to validate your reverse DNS, they
should be given the information they need about using the DLV to do
that. What I AM saying is that people should not be routinely advised to
use the DLV, and that resolver operators should only use it if they have
a good reason to.
And with that, I'll let others chime in, as I don't think I'm saying
anything new here. :)
More information about the bind-users