How sufficient is it to rely on dlv.isc.org?
Wolfgang S. Rupprecht
wolfgang.rupprecht+bindu at gmail.com
Tue Sep 23 16:41:31 UTC 2008
Chris Thompson <cet1 at hermes.cam.ac.uk> writes:
> Are there other (competing?) DLV zones? Or other usefui collections
> of trust anchors?
I'm playing with the following, which is an experimental signed root
run by IANA.
https://ns.iana.org/dnssec/status.html
The recommended named setup is here:
https://ns.iana.org/dnssec/named.txt
The only change I'd recommend is to use the following for dnssec.root.
It adds a fallback IP pointing to their anycast address and adds an
ipv6 address for folks that run an ipv6-only setup.
. 3600 IN NS ns.iana.org.
ns.iana.org. 3600 IN A 208.77.188.32
ns.iana.org. 3600 IN AAAA 2620:0:2d0:1::32
. 3600 IN NS pch-test.iana.org.
pch-test.iana.org. 3600 IN A 204.61.216.37
My good buddy Rick Lamb, who helps run that set of machines, says he
really would like folks to beat on the machines and see what shakes
loose. Right now they are only getting a paltry 40k queries per day.
And yes, they have all sorts of weasel-words saying not to use it for
production machines. That is a bit at odds with their desire for
having folks load down the machines more. I sense one message is
coming from their lawyers and the other from their engineers. (But
that is just my take on it. Don't blame me if their machines cough up
a hairball one day and all name resolution stops. I've been using the
signed root for the past week and so far so good.)
-wolfgang
--
Wolfgang S. Rupprecht http://www.full-steam.org/ (ipv6-only)
Everybody says there is no ipv6-only content. Well here you have some.
More information about the bind-users
mailing list