[dns-operations] Implementation of negative trust anchors?

Vernon Schryver vjs at rhyolite.com
Thu Aug 22 20:45:25 UTC 2013

> From: WBrown at e1b.org

> Running the DNS for 100+ school districts and 400,000+ devices, I really, 
> REALLY don't want to be the one saying "Sorry, you can't use the site 
> called for in your lesson plan today because they messed up the DNSSEC 
> records."  Management's response would be "Just make it work!"
> Without a per domain NTA, the only option would be to turn off DNSSEC, 
> returning to square one.

You don't do crazy things like poke around to get an old copy of
"their" zone and publish a pirate copy when "they" mess up something
else.  You say something like "They messed up."
In this case, you could and should say something like:
  "Our network security defenses are telling us that there is
  something.  wrong there.  Instead of lesson plans, you might be
  getting child porn if you visit their pages today."

> Our browsers give us the option to trust invalid TLS certificates, some 
> even storing it indefinitely.  Is an NTA much different?

Yes, because TLS differs because public PKI certs are merely a
charade of pretend security intended to fool the rubes and harvest
money from those cannot for various good and bad reasons refuse to
pay the commerical PKI cert vendors.  (Yes, some commercial PKI
certs are free, which says all that needs to be said to anyone with
0.1% of a clue about the security of every commercial PKI cert.)
A valid commercial PKI cert tells you *NOTHING* about the web data
it purports to guarantee except that some was willing to pay time,
effort, and perhaps some money to appear trustworthy.

Perhaps in the real world, no evil nasty hackers are going to replace
your staff's educational pages with nastiness with either bogus
certs or corrupt DNS, but things are definitely otherwise elsewhere.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list