[dns-operations] Implementation of negative trust anchors?

Edward Lewis ed.lewis at neustar.biz
Thu Aug 22 21:14:59 UTC 2013

(Just using this to launch into a tirade.)

On Aug 22, 2013, at 15:59, <WBrown at e1b.org> <WBrown at e1b.org> wrote:
> Running the DNS for 100+ school districts and 400,000+ devices I really, 
> REALLY don't want to be the one saying "Sorry, you can't use the site 
> called for in your lesson plan today because they messed up the DNSSEC 
> records."  Management's response would be "Just make it work!"

One thing that seems to need repeating from time to time is this passage in RFC 4033.

   ...  In the final
   analysis, however, authenticating both DNS keys and data is a matter
   of local policy, which may extend or even override the protocol
   extensions defined in this document set.  See Section 5 for further

A responsibility (one of many) of a caching server operator is to "protect the integrity of the cache."  DNSSEC is just a tool to help accomplish that.  It carries ancillary data that a local cache administrator may use to filter out undesired responses.  DNSSEC is not an enforcement mechanism, it's a resource.

When I see folks voice opinions that DNSSEC's recommended operation has to strictly followed, my gut reaction is that these folks have forgotten the purpose of all of our efforts.  We don't secure protocols to make things work better.  We don't operate the DNS because we like to run a well run machine.  We don't run the Internet for the fun of it.  (Some might enjoy running it, that's job satisfaction to some extent.)

At the end of the day all that matters is that what is being done benefits society.  We run the Internet to enrich society.  We prefer a well run DNS because it saps less resources than a poorly run DNS.  We prefer secure protocols so that people don't become victims (in some sense of the word).

Make it work.  Do what it takes to make it work.  "Local policy" rules.

Edward Lewis             
NeuStar                    You can leave a voice message at +1-571-434-5468

There are no answers - just tradeoffs, decisions, and responses.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130822/158f2146/attachment.html>

More information about the dns-operations mailing list