On 8/27/14 3:03 PM, Timothe Litt wrote:
So you really meant that validating resolvers should only consult DLV if their administrator knows that users are looking-up names that are in the DLV? That's how I read your advice.
You're correct.
I don't see how that can work; hence we'll disagree. I think the only viable strategy for*resolvers* is to consult the DLV - as long as it exists.
So that leads to a Catch-22, as ISC has stated that they will continue to provide the DLV as long as it is used. You're saying that people should continue to consult it as long as it exists.
Now that the root is signed the traditional argument against continued indiscriminate use of the DLV is that it makes it easier for registries, service providers, etc. to give DNSSEC a low priority. "You don't need me to provide DNSSEC for you, you can use the DLV." Based on my experience I think there is a lot of validity to that argument, although I personally don't think it's persuasive on its own.
While I appreciate the tone of reasoned discourse in the message I'm responding to, what you have done is provide additional details to support your thesis that changing providers is hard. I'm not arguing the contrary position, so we can agree to agree on that. What you haven't done is provide any evidence to refute my thesis that "It's hard" != "It's impossible." I'll even go so far as to agree with you that in some cases it's really, really hard.
What that leaves us with is your position (which I will state in an admittedly uncharitable way), "Some of us would like to have the benefits of protecting our authoritative data with DNSSEC without having to endure the cost and inconvenience of migrating our resources to providers that support it. Therefore the entire Internet should use the DLV." In contrast, my position is that people and/or organizations which need the protection of DNSSEC should vote with their feet. In this way providers that offer DNSSEC will be rewarded, and those that do not will be punished. Completely aside from what I believe to be the absurdity of your argument, the position I suggest will almost certainly result in market forces which encourage the deployment of DNSSEC. At bare minimum it has the moral value of rewarding providers who have done the right thing.
I realize that it's unpopular to state some of these ideas in such a direct way, and I hope no one is offended by one person's opinion. I also realize that those who wish to receive the benefits of DNSSEC without enduring the aforementioned costs will not like my argument. I can't help you there. :)
Doug _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
