Should we remove the DLV code?

Tony Finch dot at dotat.at
Wed May 22 16:33:52 UTC 2019 

Matthijs Mekking <matthijs at isc.org> wrote:
>
> The BIND 9 development team has been discussing whether we should remove
> the DLV code from the BIND 9 source.

DLV as it currently works is not useful and it's a lot of complexity to
carry around. However, with some tweaks it might be made useful. On the
gripping hand the cost/benefit tradeoff probably does not justify working
on it :-)

The scenario is trust anchor distribution inside an enterprise. There are
a few cases where you might want resolvers to be able to validate local
zones without talking to the internet:

* Business continuity in case of loss of external connectivity. Validation
requires chasing the chain of trust from the root; if we only have to
chanse down from the corporate domains then internal things still work
when the backhoes do their thing.

* RFC 1918 reverse DNS.

* Private views with distinct keying.

DLV is almost but not quite ideal for distributing trust anchors for
internal zones, because it insulates validators from the details of most
config changes. (A nice counterpart to catalog zones.) The DNS admin only
needs to do RFC 5011 for the DLV zone and almost everything else takes
care of itself.

DLV does not work for this purpose because it is a fallback, whereas what
I want is a source of trust anchors that takes higher priority than the
public DNS.

There are a few reasons why it probably is not worth the effort to adapt
DLV in the way I suggest:

* Shoudn't we work more on making your network more reliable instead of
making the DNS more complicated? (Yes, we have, so in practice this isn't
a big problem that needs solving.)

* Who cares about DNSSEC validation for RFC 1918 reverse DNS?

* There are other ways to allow for private views with different keys from
public views (more DS records!), so we don't need a second way to solve
this problem.

Also my point of view is warped by working for a university where central
IT acts a lot more like an ISP than corporate IT, so we don't have control
over most system configurations.

So that's my brain dump, take it or leave it, and I will still be happy if
you go ahead and delete DLV.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Cape Wrath to Rattray Head including Orkney: West or northwest 5 or 6. Slight
or moderate, becoming rough in northwest. Rain or showers. Moderate or good,
occasionally poor.

More information about the bind-users mailing list