[dns-operations] Implementation of negative trust anchors?

[Daniel Kalchev]

On 22.08.13 22:59, WBrown at e1b.org wrote:
>> From: Doug Barton <dougb at dougbarton.us>
>> As stated before, the problem is that after the "early adopter" period
>> is over we'll be stuck with NTAs forever. This is one of those
>> fundamental disagreements between those who believe that DNS should
>> always be forgiving of operator error, and those of us who do not.
> Running the DNS for 100+ school districts and 400,000+ devices, I really,
> REALLY don't want to be the one saying "Sorry, you can't use the site
> called for in your lesson plan today because they messed up the DNSSEC
> records."  Management's response would be "Just make it work!"
>
> Without a per domain NTA, the only option would be to turn off DNSSEC,
> returning to square one.
>

If turning off DNSSEC is your way to "Just make it work!" then it is 
perfectly legitimate thing to do. You could do it in a limited scale for 
that specific lesson today and turn in on afterwards.

As already mentioned, local policy always rules (as do local laws). 
DNSSEC is merely a technology to aid you in authenticating data and 
determine if it was modified in transit. Nothing more nothing less. It 
also provides an chain of trust, that is matching the DNS delegation 
chain of trust -- thus being better than "traditional" PKI with relation 
to web site certificates.

DNSSEC is not some magical technology that just solves "the problems".

On this, I am with Doug, that "if there is a high price for doing it 
wrong less people will do it wrong".

Daniel