Mark Andrews <marka@isc.org> wrote:
An organisation can also deploy DLV for their own zones using their own registry. While the current code DLV validating code is only invoked when the response validates as insecure, there is nothing preventing a policy which says that DLV trumps or must also validate for entries in a registry. At this stage is would be a minor code change to add such policy knobs. DLV is a just a in-band way of distributing trust anchors.
Yes (as Mark knows) I would like to be able to use DLV in this enterprisey way. It should also help validators to continue working for local domains when external connectivity is funted. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ East Sole, Lundy, Fastnet, Irish Sea: Southeasterly 4 or 5. Rough or very rough, but slight or moderate in Irish Sea. Mainly fair. Good, occasionally poor.