[dns-operations] Implementation of negative trust anchors?
Doug Barton
dougb at dougbarton.us
Thu Aug 22 19:06:49 UTC 2013
On 08/22/2013 08:29 AM, Mehmet Akcin wrote:
> On 8/21/13 11:25 AM, "Warren Kumari" <warren at kumari.net
> <mailto:warren at kumari.net>> wrote:
>
> >>>FWIW, I remain opposed to the idea, but trying to do due diligence.
> >> I still like the idea as it is the only way for big resolver
> providers
> >>to deploy DNSSEC when there competitors have not.
> >
> >+lots. Penalizing the early adopters simply leads to no deployment.
>
>
> Agreed!
As stated before, the problem is that after the "early adopter" period
is over we'll be stuck with NTAs forever. This is one of those
fundamental disagreements between those who believe that DNS should
always be forgiving of operator error, and those of us who do not.
I continue to maintain that NTAs violate the whole principle of DNSSEC,
and that if there is a high price for doing it wrong less people will do
it wrong.
Doug
More information about the dns-operations
mailing list