What's happening with DLV?
Now that the root zone has been officially signed, what happens with ISC's DNSSEC Look-aside Validation Registry? The short answer is, it gets smaller, but does not go away, at least not today.
While having the root signed is a critically important step in the DNSSEC deployment effort, it is not the final step. It's the one that enables a lot of other zones such as Top Level Domains (TLDs) to be signed usefully. It removes the need for many stop-gap measures like certain TARs, and the need for TLD entries in ISC's DLV system.
However, not all TLDs are going to be signed immediately. Some TLDs have projected DNSSEC production dates of early 2011 and longer. Owners of domains under these TLDs will still find DLV to be a useful tool to publish their DNSSEC keys, and promote use of DNSSEC within their organizations.
Additionally, even though a TLD is signed and in the root zone does not mean you are able to add your records to it. Not all registrars are prepared to accept DNSSEC records for their users.
ISC's plan for DLV over the next few weeks is to watch and see what happens with the TLD operators. If a specific TLD is inserted into the root zone and signed properly, we will remove that TLD from our database. This is consistent with ISC's goal of using the proper DNSSEC hierarchy as the DNSSEC protocol intends.
We will not prevent users from adding their own zones under these TLDs, and will not remove any TLDs which were added directly by the TLD operators. This means all the owners zones who cannot otherwise publish their DNSSEC keys can continue to use DLV. We will not remove any zones from DLV which we did not enter ourselves, leaving users the option of publishing their key in DLV in addition to the parent during transition or for other purposes.
ISC will continue to encourage those adding zones to the DLV registry to use the intended parent-to-child path if at all possible.
Comments
The DLV will be needed for some time to come. For instance, while dot-US ccTLD is signed, there is no way for domain owners to insert DS records (yet)
Even when a TLD Registry does add DNSSEC support, it takes some time to get Registrars on board with this. For instance, the dot-ORG gTLD launched with 13 Registrars and is now at 20, but still very far from universal support.
I did warn my Registrar, GKG, that they needed to add DNSSEC support, and transferred all of my dot-ORG gTLDs away to a Registrar with support. I notified their support this is why I did this and that I would continue to transfer away all of my domains as each TLD zone supports DNSSEC records for which they did not yet have support and other Registrars did. I'd like to think my actions moved them forward faster, as I see GKG now supports dot-ORG gTLD DNSSEC records.
I did the same with IPv6 NS records at GoDaddy (which required calling their tech support to manually add them). This was fixed at GoDaddy not too long after I transferred my domains to a Registrar supporting IPv6 NS records.
One interesting situation DLV now faces is that the root requires an algorithm that is not available in versions of BIND prior to 9.6.2. This means that even if a TLD is signed with RSASHA1, which is supported by BIND 9.5, the only way to reach it is via the DLV records or static configuration.
A question we inside ISC are facing is then, at what level should DLV continue to support these older versions of BIND, when we want to encourage people to use the root zone as well?
I'd love to hear comments on this from people outside ISC.
I too have GKG as my registrar, and after 6 months of .ORG supporting DNSSEC in the registry, I also threatened to transfer away. Fortunately for them, they provided an interface for entering the DS records two days later. They also support .NET. They don't support .INFO or .NAME yet, but indicated that the registry is the holdup. (.NAME doesn't even have IPv6 reachable name servers.)
As for ISC, since NSEC3 is the signing validator record of choice for zones other than the root and reverse IP lookups, all versions of BIND that do not support it should be end-of-life. I also think that the DLV should check to see if an actual signing delegation exists (i.e. DS records) outside of it and alert its subscribers that a DLV entry may no longer be necessary. As the DLV periodically checks to see that the name servers are reachable (by fetching them from the parent zone following delegations from the root), I don't see why it can't ask for the DS records along the way.
I'm amazed to find that there are still some ISPs and colo providers whose name servers are DNSSEC-unaware, including running versions of BIND prior to 9.4, and those that "forget" to open TCP port 53 in their firewalls.
I would also like to see the EDNS packet size increased to 8,192 (or no limit other than MTU size). Most "jumbo-framed" networks (usually 9,000 or 9,216 byte MTUs) would easily handle this. Limiting this to 4,096 is simply yet another bonehead move like the original 512 byte UDP limit. The data should govern the size, not vice-versa.
Lastly, BIND should distribute a copy of the root key with itself. The DLV key is technically not necessary anymore - as root, .ORG, ISC.ORG, and DLV.ISC.ORG are all signed and trusted from the root key. The DLV key need not be offered through the web site anymore as well.