From: dns-wg-admin@ripe.net [mailto:dns-wg-admin@ripe.net] On Behalf Of David Conrad Sent: den 25 oktober 2008 20:50 (...) This is NOT what I am claiming. I stated:
"[...] I personally believe [DLV] is non-scalable, non-standard, and imputes a highly questionable trust model into _every_ non-cached DNS lookup [...]."
Configuring the resolver (caching nameserver) with a DLV also makes it as dependent on the DLV zone as it is on the root zone. If the DLV zone is unavailable, no DNSsec checking and validation will work and the server will consider all DNS data as untrusted, i.e. returning all queries with SERVFAIL. We run DNSsec validation for some 1.5 million customers with .SE as the sole trust anchor. I will leave the DLV's out for many reasons. Mats ------------------------------------------ Mats Dufberg TeliaSonera BBS P&P VAS/Internet +46-70-2582588 mats.dufberg@teliasonera.com ------------------------------------------