recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

Doug Barton dougb at dougbarton.us
Thu Aug 28 18:51:35 UTC 2014


On 8/28/14 10:55 AM, Timothe Litt wrote:

> Aside from the use of the word 'absurdity', I'm not offended.  I am
> trying to educate.  And while I recognize that I'm arguing
> pragmatism with a market purist,

It's nice to be called "pure," in some context anyway. :)  However as I 
pointed out I'm not simply arguing market forces, I'm also arguing the 
morality of rewarding those providers who do the right thing; and I'm 
quite specifically arguing the anti-pragmatist perspective that voting 
with your feet is important.

Chris, I purposely did not invoke the spectre of Jim Reid because I did 
not agree with his violent opposition to the DLV when it was created. 
But now that we're in the "signed root" phase of DNSSEC deployment I 
think that argument has a lot more validity.

> hopefully the OP (and others) will
> learn why some of us have a slightly different view of how to get to
> the end goal.

I agree that illuminating the different points of view is valuable, and 
I am happy to agree to disagree with you (and Chris Thompson) on this 
topic.

> And why my advice for resolvers is 'check DLV', while my advice for
> domain owners is 'take reasonable steps to stay/get out of DLV, but
> use it if you *must*'.
>
> We're actually not that far apart...

... I'm sorry to say that we are still quite far apart on specifics 
though. You continue to use the word "impossible" when what you mean is 
"outside of the constraints I have created for myself." I was trying not 
to devolve into a discussion of your specific situation, but one really 
simple solution to your particular use case would be to move your stuff 
to a colo facility where they provide proper reverse DNS, signed 
delegations, etc. There are a world of other options, but you have 
designated a set of parameters within which you wish to operate, and a 
provider that does DNSSEC is outside of your parameters. That doesn't 
make it "impossible," that makes it "something you're not willing to do."

Chris' message was an excellent example of his particular value of 
"really, really hard," but even he points out that it's not the same as 
"impossible." His organization has done the cost/benefit analysis and 
determined that having a DNSSEC chain from the root for their reverse 
delegations is not worth the cost of moving away from JANET. I don't 
know the politics anywhere near as well as Chris does, but I know them 
well enough to know that his organization is probably correct in their 
analysis. In any case, their network, their rules. I have no problem 
with that.

And I want to reiterate one last time that I'm NOT saying that no one 
should use the DLV, or that no one should put new entries into it. If 
you or Chris have people that need to validate your reverse DNS, they 
should be given the information they need about using the DLV to do 
that. What I AM saying is that people should not be routinely advised to 
use the DLV, and that resolver operators should only use it if they have 
a good reason to.

And with that, I'll let others chime in, as I don't think I'm saying 
anything new here. :)

Doug



More information about the bind-users mailing list