On 22 Apr 2009, at 08:27, Florian Weimer wrote:
Should critical DNS infrastructure include DLV zones for public use?
No. Absolutely not. DLV is not critical to the operation of the Internet. [IMO it's a short-term hack that will go away once the root and/or major TLDs get signed.] The DNS servers for TLDs, and to a lesser extent, the Tier-1 ENUM delegations are critical. If they went away, everyone would immediately notice that. If a DLV zone's DNS servers fail, an insignificant number of people would notice. DLV users are a fraction of the tiny number of people using DNSSEC today. Another point: anyone can set themselves up a DLV provider. So if arbitrary DLV operators were able to get anycast allocations, this would be a good way of depleting the remaining IPv4 space. At least there's a finite number of TLD and Tier-1 ENUM delegations which are underpinned by "official" registries and procedures for obtaining/ managing them. This is not the case for DLV providers (if I can use that vague term). Oh and what happens when the next flavour-of-the-month DNSSEC validation hack comes along? Should the policy be modified to accommodate that too?? BTW I am also uncomfortable with attempts to shore up DLV or to make it more permanent. That takes resources away from getting DNSSEC properly deployed by having the root and TLDs signed.