[dns-operations] Implementation of negative trust anchors?

Vernon Schryver vjs at rhyolite.com
Thu Aug 22 19:55:30 UTC 2013

> From: Doug Barton <dougb at dougbarton.us>

> >      >+lots. Penalizing the early adopters simply leads to no deployment.

How long after the start of significant DNSSEC deployment (say the
signing of com) will the early adopter period end?
When I say that comment about early adopters, my first thought was
"Yes, perhaps that's a good point for last year, but what about today?"
Even Comcast seems to have lost interest in NTA based on the infrequent
changes to http://dns.comcast.net/ this year, not to mention that the
most recent announced NTA among those pages seems to have been last

As far as I can tell from my limited perspective DNSSEC, errors are
now more common than they were last year.  Contrary to some apparent
opinions, I think that's a reason stuff NTA down the memory hole.
With real use will inevitably come a lot of errors, and forever.
That is no more unexpected or worse than lame delegations and
the many other ways mess up DNS.

> I continue to maintain that NTAs violate the whole principle of DNSSEC, 

Yes!  An offical protocol definition get NTA on to checklists and
thence into all competing products.  That will aid and bet various
organizations with reasons to oppose DNSSEC (and DANE) such as
authoritarian regimes with firewalls and as well as nominally free
regimes with more subtle interests in modifying DNS records.
After NTA is standard in products, then I bet U.S. ISPs will start
getting secret orders concerning its use.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list