[dns-operations] Implementation of negative trust anchors?

Vernon Schryver vjs at rhyolite.com
Fri Aug 23 00:07:34 UTC 2013

> From: Suzanne Woolf <woolf at isc.org>

> I don't like it either, but it limits the damage done by a DNSSEC =
> failure to status quo ante rather than something worse. 

That is mistaken.  You get the status quo ante by simply turning
off validation.
Turn off validation is the only sane response this year to phone calls
reporting the breakage of a major domain.  Even if you have NTA, from
now on you'll do as Comcast evidently is now doing and decline to pay
the current and future costs of adding minor domains to your NTA list.
You'll just tell your users Stuff Happens and perhaps help them use
`whois` to find someone else to bother.  Last year differed.

I trust (wish?) we all learned the excessive costs of organization-wide
white/blacklists from the last 15 years of the spam wars.

> > madness test: would we have bothered with DNSSEC at all, back in the =
> day, if NTA had been known as a definite requirement?
> I realize this is something of a rhetorical question, but I'll bite: if =
> it were framed as a way of promoting incremental, fault-tolerant =
> deployment and mitigating the cost shifting of "I screw up and your =
> phone rings," some of us might well have been happy to include it.=20

On the contrary, NTA is a new tool for deliberately introducing new
faults in the data you give your DNS clients.  It is a tool for lying
to your DNS clients with data that you swear is valid and signed but
that you know is at best unsigned and quite possibly invalid or worse.

If I didn't know that the inevitable user response to security
problems, I'd favor NTA as a way to get validation move where must
be eventually, at least as close as their nearest router.  After a
few kerfuffles in which it is discovered that telephants have been
ordered by government or corporate bosses to use NTA to obscure the
hijacking of domain names on grounds of copyright violation,
terrorism, publication of national defense secrets, or failure by
content providers to agree to telephant tariffs, one might hope
that users would stop using Central Facility's DNS validators.

Of course, besides the inevitable non-response by almost users,
some users would probably notice, figure it out, and care.
But as always, enough of the bosses and their minions won't
believe or care.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list