On Sat, Oct 25, 2008 at 01:53:48PM -0400, Paul Wouters wrote:
Interesting conclusion. See, the way I understood it from Paul, is that it was not *meant* to scale, as it was an interim solution until not only the root, but large zones as .com got signed properly.
Paul
this is one of theproblems I have w/ DLV. Either its useful until the entire tree is signed/linked or there is some undefined threshhold where its "good enough" and the operator castrates all the small fry who were depending on it working. it was never clear when/where the threashold was for DLV, just that when in ISC judgement, things were "good enough" they would turn it off. which argues for caching your security tokens in multiple places, esp when you may not have a business relationship w/ the key holder. Of course ISC could turn DLV into a profit center by charging for key mgmt. (profit might be a poor term - how about cost recovery?) end of the day, the trust chain ends @ ISC not IANA. This might not be a bad thing. Trading one not-for-profit California corporation for another one... but is that -really- what the Internet wants? --bill