[dns-operations] Implementation of negative trust anchors?
daniel at digsys.bg
Fri Aug 23 13:33:28 UTC 2013
On 23.08.13 03:07, Vernon Schryver wrote:
>> From: Suzanne Woolf <woolf at isc.org>
>> I don't like it either, but it limits the damage done by a DNSSEC =
>> failure to status quo ante rather than something worse.
> That is mistaken. You get the status quo ante by simply turning
> off validation.
It seems, discussions like this are the result of half-way implementing
DNSSEC so far.
Thing is, today we mostly make use of DNSSEC validation at the 'large'
caching resolver sites. Those are services, that serve lots of people
and if someone has "any" problem, they do call. It is all too easy to
point at DNSSEC and demand it ignored.
When/If we get to a more full DNSSEC deployment, where the validation
happens on each individual end node, then each individual end user can
make their own choice whether to validate or not, there won't be need
for any such bypassing technologies at the service level and nobody's
phone will ring for problems they did not create.
But in order to arrive at this level of deployment, we need to convince
application developers that DNSSEC is already stable target. Inventing
more and more knobs does not signal exactly that.
Of course, it will help having validating local resolvers in most major
More information about the dns-operations