Maintained by: NLnet Labs

[Unbound-users] High number of system context switches

Sotiris Tsimbonis
Sat Apr 12 08:22:57 CEST 2014


On 12/04/2014 12:22 πμ, Jan-Frode Myklebust wrote:
> On Fri, Apr 11, 2014 at 11:44:38PM +0300, Sotiris Tsimbonis wrote:
>>
>> Try commenting out the dlv-anchor-file directive.
> 
> Excuse my DNSSEC ignorance, but what's the consequence of commenting out
> this directive? Will it still be OK to run a dnssec validating
> nameserver, or will too much fail too validate. Or maybe lack of tld
> trust anchor means DLV will just be ignored and served as non-validating
> dnssec?

You will not validate domains in TLDs that have not been signed yet.

The .au TLD has not been signed yet, but will be signed later this
month. Signed .au domains today can only be validated because of DLV[1].
It fills the trust gap between the signed root and a dnssec signed
domain within a non-signed TLD.

Your dns will still be validating all domains with a "proper" chain of
trust, so later this month we will be able to validate .au domains
without the use of DLV.

http://stats.research.icann.org/dns/tld_report/ shows these numbers today:

532 TLDs in the root zone in total
343 TLDs are signed;
336 TLDs have trust anchors published as DS records in the root zone;
3 TLDs have trust anchors published in the ISC DLV Repository.

Sot.

[1]
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#DNSSEC_Lookaside_Validation