North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: wrt joao damas' DLV talk on wednesday
At 11:37 -0700 6/13/06, Randy Bush wrote:
There are two ways to look at "scaling". Scaling in volume and scaling across generations. DLV definitely does not scale across generations with such a person-to-person protocol backing it up. But if it's just a bootstrap mechanism, then I think it's acceptable.can you say "does not scale?" or how about "works poorly when a zone is transferred?"
As far as volume scale, DLV puts more work onto whomever configures DLV repository data in resolvers. A DLV per TLD might lower the work for the TLD, and possibly remove the need to develop NSEC3 and opt-in. (As DLV only lists the DNSSEC'd zones.)
DLV at least lets those who are able and willing to take the risk to gain first hand experience. If the ISC DLV runs for 5 years without an incident, even with the non-scalable approach as documented, it'll be seen as a winner. The longer it runs without incident, the more trustworthy it'll (appear to) be, right up until the point that it no longer scales. If there's an incident, then it won't be trusted but we will probably learn from the experience. Hopefully the lesson will come cheap.i think there is no question that you and isc mean well. but we've entered the the twisty passages of security.
Edward Lewis +1-571-434-5468
Nothin' more exciting than going to the printer to watch the toner drain...