DNSSEC Gets Validated With DLV - Page 2

Page 2 of 2

Scalability

The DLV effort began at the ISC, three years ago with ISC being the primary DNS host. NeuStar and Afilias are now coming on board as secondary sources.

"Secondary in DNS terms means that they are also an authoritative source of the zones data but the master data is created on our servers and securely propagated to the secondaries," ISC's Graff said. "The DNS protocol will select the best nameserver randomly at first and then over time base up a dynamic table of response times. So secondary isn't really for redundancy as much as it is about network diversity."

Rodney Joffe, senior vice president and senior technologist at NeuStar, told InternetNews.com that DLV is now available in a more robust way than what the ISC alone was able to offer on its own three years ago.

"DLV had little traction back then because DNSSEC seemed long off," Joffe said. "Now it's much closer to reality, cache poisoning is a proven, real danger, so now there is a driver from the customer side."

Afilias' Mohan commented that historically the issues related to DNSSEC adoption have been chicken/egg. That is, the users did not want to spend the cost for overhauling their DNS operations to support DNSSEC if zones weren't signed and actually sharing secure information.

"In the time between now and when the Root and all major TLDs are signed, organizations responsible for directing end users to Web sites (i.e.: ISPs) need an interim place to rely on for this information that is trusted and reliable," Mohan said.

"ISC's DLV is that place."