How sufficient is it to rely on dlv.isc.org?
Chris Thompson
cet1 at hermes.cam.ac.uk
Tue Sep 23 13:07:43 UTC 2008
When configuring a DNSSEC-aware resolver, what is a sensible set
of trust anchors to start with, at the present time?
The number of DLV records in dlv.isc.org is gradually increasing[*],
and it has recently acquired one for a second TLD ("cz." in addition
to "br."). But how much of the DNSSEC-aware namespace is actually
covered this way? There are TLDs (e.g. "se." and "bg.") that are
signed but do not appear in dlv.isc.org.
Are there other (competing?) DLV zones? Or other usefui collections
of trust anchors?
[*] How do I know? Well dlv.isc.org uses NSEC records and is
therefore "enumerable" :-) 113 DLV records at the end of July,
163 today.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list