[dns-operations] Implementation of negative trust anchors?

Paul Vixie paul at redbarn.org
Fri Aug 23 00:13:30 UTC 2013

Randy Bush wrote:
> < from a conversation with a friend wiser than i >
> the problem is that we are going through a deployment phase where there
> is little penalty for sloppy server ops because so few are validating.
> patching over this to be more tolerant of sloppy server ops is going in
> the wrong direction.  ...

+1. we're currently debating placement of first mover advantage. today
if you sign incorrectly you lose. with NTA at scale, if you sign
incorrectly you won't lose. i don't know how we'd get back from there.

i've signed incorrectly plenty of times on my own domains, because i
havn't got BIND 9.8 "DNSSEC for Humans" running. every time i lose
because my domain names can't be looked up because my signatures expired
or whatever, it changes the equation in my head, and brings me closer to
improving my signature and key management processes. granted i don't
lose money when my DNSSEC is busted, but my phone does ring. i like that
-- the internet too rarely aligns incentives. we're getting it right for

comcast and their DNS vendors should do what suits them. but we should
all resist making NTA an interoperable standard or BCP.


More information about the dns-operations mailing list