[dns-operations] Implementation of negative trust anchors?

WBrown at e1b.org WBrown at e1b.org
Thu Aug 22 19:59:48 UTC 2013

> From: Doug Barton <dougb at dougbarton.us>

> As stated before, the problem is that after the "early adopter" period 
> is over we'll be stuck with NTAs forever. This is one of those 
> fundamental disagreements between those who believe that DNS should 
> always be forgiving of operator error, and those of us who do not.

Running the DNS for 100+ school districts and 400,000+ devices, I really, 
REALLY don't want to be the one saying "Sorry, you can't use the site 
called for in your lesson plan today because they messed up the DNSSEC 
records."  Management's response would be "Just make it work!"

Without a per domain NTA, the only option would be to turn off DNSSEC, 
returning to square one.
> I continue to maintain that NTAs violate the whole principle of DNSSEC, 
> and that if there is a high price for doing it wrong less people will do 

> it wrong.

Our browsers give us the option to trust invalid TLS certificates, some 
even storing it indefinitely.  Is an NTA much different?

There's also a price (time spent) for people having to add NTAs for 
failing domains.  Admins may decide that it's not worth the hassle to add 
an NTA for a particular domain if there isn't enough reason/demand for it.

Perhaps the NTA mechanism needs some tuning.  What if an NTA was only 
valid for one key value.  Once key was replaced, the NTA would no longer 
be valid, preventing it from hanging around to trust a forged answer far 
in the future.  I don't have an answer for how to handle a domain that 
never updates the key, letting the NTA stay in place.  Perhaps specifying 
a time out, as well as expiring on key update.

Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.

More information about the dns-operations mailing list