[dns-operations] Implementation of negative trust anchors?
WBrown at e1b.org
WBrown at e1b.org
Thu Aug 22 19:59:48 UTC 2013
> From: Doug Barton <dougb at dougbarton.us>
> As stated before, the problem is that after the "early adopter" period
> is over we'll be stuck with NTAs forever. This is one of those
> fundamental disagreements between those who believe that DNS should
> always be forgiving of operator error, and those of us who do not.
Running the DNS for 100+ school districts and 400,000+ devices, I really,
REALLY don't want to be the one saying "Sorry, you can't use the site
called for in your lesson plan today because they messed up the DNSSEC
records." Management's response would be "Just make it work!"
Without a per domain NTA, the only option would be to turn off DNSSEC,
returning to square one.
> I continue to maintain that NTAs violate the whole principle of DNSSEC,
> and that if there is a high price for doing it wrong less people will do
> it wrong.
Our browsers give us the option to trust invalid TLS certificates, some
even storing it indefinitely. Is an NTA much different?
There's also a price (time spent) for people having to add NTAs for
failing domains. Admins may decide that it's not worth the hassle to add
an NTA for a particular domain if there isn't enough reason/demand for it.
Perhaps the NTA mechanism needs some tuning. What if an NTA was only
valid for one key value. Once key was replaced, the NTA would no longer
be valid, preventing it from hanging around to trust a forged answer far
in the future. I don't have an answer for how to handle a domain that
never updates the key, letting the NTA stay in place. Perhaps specifying
a time out, as well as expiring on key update.
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
More information about the dns-operations
mailing list