On 6 Jan 2015, at 23:18, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> My email server, for example, specifically does not support the ISC DLV. Yay! > With the root zone and most TLDs signed, I don't think it makes sense to use > it anymore. +1000. DLV has always been a *remarkably* bad idea. It actually hinders DNSSEC deployment. It adds too many extra moving parts which makes DNSSEC validation even more brittle and complex to maintain/debug. Best avoid DLV at all costs. BTW, it's particularly unwise to adopt DLV to kludge around TLD registries or registrars who can't/won't support DNSSEC properly. This was the OP's rationale for going down that path. IMO the OP should switch to another registrar and let the slacker registrar know why they've lost the OP's business. This will be far less painful than jumping into DLV and then trying to figure out how to undo that or migrate away from it. DLV looks to be going away too. ISC is mumbling about switching it off by the end of 2016. There was some discussion about this on the dnssec-deployment mailing list a couple of weeks ago. The list archives are currently off-line but here's the relevant posting: > From: Michael Richardson <m...@sandelman.ca> > Date: Tue, 23 Dec 2014 10:02:06 -0500 > Message-ID: <28358.1419346...@sandelman.ca> > > Let me tell you, as m...@isc.org, and the person who takes care of DLV now, > that DLV doesn't support any ECDSA algorithms. There is some significant > conflict between making DLV all-singing and all-dancing, and just shutting it > down, because it's a crutch now. > > At this point, the plan is that DLV will shutdown by the end of 2016. > Our plan is to find polite ways to tell detect zones whose parent is signed, > to go do that, and then figure out what's left; and then report that here. Anyone planning to start depending on DLV needs to think very carefully about adopting something that probably has no future apart from a long overdue burial. The fact DLV's maintainer is not extending it to support/provision the newest DNSSEC crypto algorithms is a fairly clear sign of where DLV is headed.
