Moving DNSSEC Lookaside Validation (DLV) to Historic Status
draft-mekking-dnsop-obsolete-dlv-00
|
| Document |
Type |
|
Active Internet-Draft (dnsop WG)
|
|
Last updated |
|
2019-07-10
(latest revision 2019-07-02)
|
|
Stream |
|
IETF
|
|
Intended RFC status |
|
(None)
|
|
Formats |
|
plain text
pdf
html
bibtex
|
| Stream |
WG state
|
|
WG Document
|
|
Document shepherd |
|
No shepherd assigned
|
| IESG |
IESG state |
|
I-D Exists
|
|
Consensus Boilerplate |
|
Unknown
|
|
Telechat date |
|
|
|
Responsible AD |
|
(None)
|
|
Send notices to |
|
(None)
|
DNS Operations W. Mekking
Internet-Draft D. Mahoney
Intended status: Informational ISC
Expires: January 3, 2020 July 2, 2019
Moving DNSSEC Lookaside Validation (DLV) to Historic Status
draft-mekking-dnsop-obsolete-dlv-00
Abstract
This document obsoletes DNSSEC lookaside validation (DLV) and
reclassifies RFCs 4431 and 5074 as Historic.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 3, 2020.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction
2. Discussion
3. Moving DLV to Historic Status
3.1. Documents that reference the DLV RFCs
3.1.1. Documents that reference RFC 4431
3.1.2. Documents that reference RFC 5074
4. IANA Considerations
5. Security considerations
6. Acknowledgements
7. Normative References
Authors' Addresses
1. Introduction
DNSSEC Lookaside Validation (DLV) was introduced to assist with the
adoption of DNSSEC [RFC4033] [RFC4034] [RFC4035] in a time where the
root zone and many top level domains (TLDs) were unsigned, to help
entities with signed zones under an unsigned parent zone, or that
have registrars that don't accept DS records. As of May 2019, the
root zone is signed and 1389 out of 1531 TLDs have a secure
delegation from the root; thus DLV has served its purpose and can now
retire.
2. Discussion
One could argue that DLV is still useful because there are still some
unsigned TLDs and entities under those zones will not benefit from
signing their zone. However, keeping the DLV mechanism also has
disadvantages:
o It reduces the pressure to get the parent zone signed.
o It reduces the pressure on registrars to accept DS records.
o It complicates validation code.
In addition, not every validator actually implements DLV (only BIND 9
and Unbound) so even if an entity can use DLV to set up an alternate
path to its trust anchor, its effect is limited. Furthermore, there
was one well-known DLV registry (dlv.isc.org) and that has been
deprecated (replaced with a signed empty zone) on September 30, 2017.
With the absence of a well-known DLV registry service it is unlikely
that there is a real benefit for the protocol on the Internet
nowadays.
One other possible reason to keep DLV is to distribute trust anchors
for private enterprises. However it was never the intention for DLV
to be used for this purpose, and DLV has some properties that do not
entirely fit this use case:
o It would be more desirable if the trust anchors for internal zones
have a higher priority than the public trust anchors, but DLV
works as a fallback.
o Since the zones are related to private networks, it would make
more sense to make the internal network more secure to avoid name
redirection, rather than complicate the DNS protocol.
Given these arguments, plus its fairly limited use case, and the
above disadvantages to keep DLV, it is probably not worth the effort
of maintaining the DLV mechanism.
3. Moving DLV to Historic Status
There are two RFCs that specify DLV:
1. RFC 4431 [RFC4431] specifies the DLV resource record.
2. RFC 5074 [RFC5074] specifies the DLV mechanism for publishing
trust anchors outside the DNS delegation chain and how validators
can use them to validate DNSSEC-signed data.
This document moves both RFC 4431 [RFC4431] and RFC 5074 [RFC5074] to
Historic status. This is a clear signal to implementers that the DLV
Show full document text