[dns-operations] Implementation of negative trust anchors?

Paul Vixie paul at redbarn.org
Fri Aug 23 00:06:42 UTC 2013 


Suzanne Woolf wrote:
>
> On Aug 22, 2013, at 6:25 PM, Paul Vixie <paul at redbarn.org
> <mailto:paul at redbarn.org>> wrote:
>
>> ... i don't like NTA. if my signatures don't work because i've been
>> attacked (for example, one of my name servers has been compromised),
>> the last thing i'd want is comcast telling their customers that the
>> data they're getting from my compromised name server is ok to consume
>> because it's unsigned.
>
> I don't like it either, but it limits the damage done by a DNSSEC
> failure to status quo ante rather than something worse. After all, "ok
> to consume because (even though) it's unsigned" is where we were all
> the time pre-DNSSEC, and where we are today where it's undeployed….and
> for some operators, better than having a validation failure cause a
> resolution failure.

i see that. i just find it indescribable that a content owner who signs
their zone as a means to protect themselves against corruption in their
secondary servers, can have that tool taken out of their hands by a
distant resolver operator who uses NTA to keep their own phone from ringing.

>> madness test: would we have bothered with DNSSEC at all, back in the
>> day, if NTA had been known as a definite requirement?
>
> I realize this is something of a rhetorical question, but I'll bite:
> if it were framed as a way of promoting incremental, fault-tolerant
> deployment and mitigating the cost shifting of "I screw up and your
> phone rings," some of us might well have been happy to include it. 
>
> I recall a lot of talk during the DNSSEC specification and
> implementation process about the primacy of local policy. It's not a
> major reach for me to regard NTA as a perfectly reasonable knob for
> setting local policy.

as someone who depended on the local policy exemption to make dlv work,
i follow this line of reasoning. what i would like in local policies
like nta or dlv which seek to be distributed and scalable is, whenever
it's used, it makes something more secure. nta fails that test, unless
we're also going to add signaling similar to DS (so, comes from the
delegator) that would let a content owner say, if DNSSEC validation
fails, i want failure propagated to the end user. but i'd want that to
be the default. which is where we'd be back in absurdity land.

i totally understand that we have all got comcast to thank for the fact
that DNSSEC matters at all at this point, and that without an NTA knob
in their local policy framework, they could not have come this far.
where i'm drawing the line is NTA as a standard or even a BCP.

vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130822/9b0dbe24/attachment.html>

More information about the dns-operations mailing list