[dns-operations] Implementation of negative trust anchors?

Daniel Kalchev daniel at digsys.bg
Fri Aug 23 13:18:30 UTC 2013

On 23.08.13 00:37, Joe Abley wrote:
> Last thing, we have NTAs today. People use them.

Local policy always prevails. Even over common sense. We observe this in 
the real world, where local laws are always in force and in some places 
the local laws might not make sense to us, or even irritate our sense of 
'laws'. Yet, those exist. Won't go away.

Therefore, it is perfectly ok for someone to implement NTAs or other 
methods to ignore what DNSSEC provides. As with any other manual 
intervention, these are prone to error.

One day, when more people are dependent on DANE and it stops working, 
those same oper types will start talking the opposite story...

On the other hand, if we let too much "ifs" exist, such as "but what if 
someone has applied NTAs to this domain, somewhare?", then application 
designers will be even less motivated to make use of DNSSEC.


More information about the dns-operations mailing list