recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

[Doug Barton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 8/26/14 5:50 AM, Tomas Hozza wrote:
| On 08/26/2014 02:27 PM, Mark Andrews wrote:
|>> Why would you expect them to succeed?
|
| Because validation using root servers and authoritative servers
| proved that the domain is intentionally unsecure.

Tomas,

It seems that Mark straightened you out a bit. :) I think it's
worthwhile to discuss a little more of the theory for those watching
the thread, and for the archives.

The point of DLV initially was to provide a mechanism for sharing
trust anchors for those that did not have a path through the root
(which in the early days of course was everyone). Thus Mark's point
that the lack of a path through the root not being conclusive is quite
important.

The other thing worth pointing out is that while it's certainly fine
to test the DLV, and understand how it works, at this point in the
evolution of DNSSEC the commonly accepted wisdom is that it should not
be used routinely; and in fact should only be used when the admin
knows that there is a TA in it that she needs, and that is not
available with a path through the root.

FWIW,

Doug

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

iQEcBAEBCAAGBQJT/LtLAAoJEFzGhvEaGryE8KcH/0V5YLHU5qDKp0zlaqt6TRlH
Yt9taFQuQZhn3tdbYb/Y3L7HLkRhQGGHXvsCjbaF91tnaCtHKY7Jmrd0KQLszgkJ
aXNocB8vG8nk8HNOVc3WQr0SNlGxTgX5zBzxTaonGW1RpxRjOoo2wFrZnRbYCR+G
aHlvkRnjuzggtHHjMHNuMmnt54fraW62waDNgJrb7GDZjaiCmfg14o/VsH4h2J7U
5B0/kF0fHGjJ8QKafxNQfjlYe/25hqDae0NwxCAg3SQWHfxXHzOpf7Hi/mR7DbbS
x1yOSOPdg7pgbJV+JpsMPaz4s0hOTWGnD9ykYM096dsjh6Jh3ztDNAyZ6Vqt2GY=
=uQ3S
-----END PGP SIGNATURE-----