Matthijs Mekking <matth...@isc.org> wrote: > > The BIND 9 development team has been discussing whether we should remove > the DLV code from the BIND 9 source.
DLV as it currently works is not useful and it's a lot of complexity to carry around. However, with some tweaks it might be made useful. On the gripping hand the cost/benefit tradeoff probably does not justify working on it :-) The scenario is trust anchor distribution inside an enterprise. There are a few cases where you might want resolvers to be able to validate local zones without talking to the internet: * Business continuity in case of loss of external connectivity. Validation requires chasing the chain of trust from the root; if we only have to chanse down from the corporate domains then internal things still work when the backhoes do their thing. * RFC 1918 reverse DNS. * Private views with distinct keying. DLV is almost but not quite ideal for distributing trust anchors for internal zones, because it insulates validators from the details of most config changes. (A nice counterpart to catalog zones.) The DNS admin only needs to do RFC 5011 for the DLV zone and almost everything else takes care of itself. DLV does not work for this purpose because it is a fallback, whereas what I want is a source of trust anchors that takes higher priority than the public DNS. There are a few reasons why it probably is not worth the effort to adapt DLV in the way I suggest: * Shoudn't we work more on making your network more reliable instead of making the DNS more complicated? (Yes, we have, so in practice this isn't a big problem that needs solving.) * Who cares about DNSSEC validation for RFC 1918 reverse DNS? * There are other ways to allow for private views with different keys from public views (more DS records!), so we don't need a second way to solve this problem. Also my point of view is warped by working for a university where central IT acts a lot more like an ISP than corporate IT, so we don't have control over most system configurations. So that's my brain dump, take it or leave it, and I will still be happy if you go ahead and delete DLV. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Cape Wrath to Rattray Head including Orkney: West or northwest 5 or 6. Slight or moderate, becoming rough in northwest. Rain or showers. Moderate or good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
