> Mark, > > On Aug 29, 2007, at 4:23 PM, Mark Andrews wrote: > >> If the root gets signed and you remove the DLV stuff, won't you break > >> any caching resolver that still has the DLV trust anchor configured? > > No. Please re-read the quoted paragraph. The root's DLV > > will be there. > > Please re-read my question. > > > > > You only need DLV records where there is a missing link in the > > trust chain. If you have "." you don't need a DLV for "se" as > > there will be a DS for "se" in the root zone. > > Perhaps surprisingly, I understand this. > > My question, somewhat expanded, is: > > If you configure a trust anchor for "the" DLV registry and at some > point in time in the future, that DLV registry ceases to function > _and you have not changed the trust anchor configuration_, won't > validation fail? > > The point of this question: > > If you start mucking about with production services that require > configuration on the part of system administrators (particularly in > the somewhat arcane world of DNSSEC trust anchors), it can become > quite difficult to stop that production service without breaking > stuff. Is this a place we want to go for a temporary hack? > > Thanks, > -drc > We were well aware of that. A minimal DLV is a signed empty zone. Agressive negative caching will reduce the query load to 1 query per neg ttl. ~1 query every 3 hours with current defaults. Once you are in the DLV registry business you are in it for the long haul. I expect it would take years to taper off. ISC also has a mailing list to inform people of roll overs on the DLV trust anchor. This same list can be used to inform people that the DLV registry is shutting down (going to minimial state). If one wants to force the issue one lets the RRSIG expire which will break resolution for anything for which there is not a trust chain from a alternate trust anchor. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf