[dns-operations] Implementation of negative trust anchors?
daniel at digsys.bg
Fri Aug 23 13:18:30 UTC 2013
On 23.08.13 00:37, Joe Abley wrote:
> Last thing, we have NTAs today. People use them.
Local policy always prevails. Even over common sense. We observe this in
the real world, where local laws are always in force and in some places
the local laws might not make sense to us, or even irritate our sense of
'laws'. Yet, those exist. Won't go away.
Therefore, it is perfectly ok for someone to implement NTAs or other
methods to ignore what DNSSEC provides. As with any other manual
intervention, these are prone to error.
One day, when more people are dependent on DANE and it stops working,
those same oper types will start talking the opposite story...
On the other hand, if we let too much "ifs" exist, such as "but what if
someone has applied NTAs to this domain, somewhare?", then application
designers will be even less motivated to make use of DNSSEC.
More information about the dns-operations