[dns-operations] Implementation of negative trust anchors?

Doug Barton dougb at dougbarton.us
Thu Aug 22 19:06:49 UTC 2013


On 08/22/2013 08:29 AM, Mehmet Akcin wrote:
>     On 8/21/13 11:25 AM, "Warren Kumari" <warren at kumari.net
>     <mailto:warren at kumari.net>> wrote:
>
>      >>>FWIW, I remain opposed to the idea, but trying to do due diligence.
>      >> I still like the idea as it is the only way for big resolver
>     providers
>      >>to deploy DNSSEC when there competitors have not.
>      >
>      >+lots. Penalizing the early adopters simply leads to no deployment.
>
>
> Agreed!

As stated before, the problem is that after the "early adopter" period 
is over we'll be stuck with NTAs forever. This is one of those 
fundamental disagreements between those who believe that DNS should 
always be forgiving of operator error, and those of us who do not.

I continue to maintain that NTAs violate the whole principle of DNSSEC, 
and that if there is a high price for doing it wrong less people will do 
it wrong.

Doug




More information about the dns-operations mailing list