[dns-operations] Implementation of negative trust anchors?

Joe Abley jabley at hopcount.ca
Thu Aug 22 21:37:22 UTC 2013

On 2013-08-22, at 12:06, Doug Barton <dougb at dougbarton.us> wrote:

> As stated before, the problem is that after the "early adopter" period is over we'll be stuck with NTAs forever.

I think we need to acknowledge that there will always be signing problems, and there will always be validator operators who know that certain failures are the result of those signing problems, and not some kind of attack.

Further, there will always be such validator operators who have Good Reasons to accept and serve such responses. We don't need to agree that the reasons are sensible, just that some people will have them.

We are not talking about code or protocol quality here, we are talking about humans. Code and protocols improve over time. Humans do not.

Last thing, we have NTAs today. People use them.

So, there are two plausible outcomes here:

(a) DNSSEC deployment reverses, and nobody uses it any more, so there is no need for NTAs.

(b) We will always NTAs.

I don't feel like there is any reason to aim for outcome (a), which leaves us with (b).

If we accept that logic, then the pertinent questions is whether or not NTAs should be standardised (in a protocol or operational sense). I think the answer is yes. So do others. Some don't see value in it, but that's fine; nobody is *requiring* anybody to implement anything.


More information about the dns-operations mailing list