[dns-operations] Implementation of negative trust anchors?

Cutler James R james.cutler at consultant.com
Fri Aug 23 00:10:07 UTC 2013


On Aug 22, 2013, at 7:05 PM, Suzanne Woolf <woolf at isc.org> wrote:

> On Aug 22, 2013, at 6:25 PM, Paul Vixie <paul at redbarn.org> wrote:
> 
>> 
>> 
>> Paul Hoffman wrote:
>>> 
>>> On Aug 22, 2013, at 2:47 PM, David Conrad <drc at virtualized.org> wrote:
>>> 
>>>> A resolver operator deploying an NTA is making an assertion that data behind a name is safe despite protocol indications that is may not be.
>>> 
>>> Where is that stated? I ask, because it would seem that a better description would be that they are asserting that the data behind a name is unprotected by DNSSSEC.
>> 
>> agreed, and that's why, over and above the absurd engineering economics behind it, i don't like NTA. if my signatures don't work because i've been attacked (for example, one of my name servers has been compromised), the last thing i'd want is comcast telling their customers  that the data they're getting from my compromised name server is ok to consume because it's unsigned.

To elaborate on Paul's comment:  

We really do not need to create another clever attack vector. We have sufficient already.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130822/a611942f/attachment.html>


More information about the dns-operations mailing list