[dns-operations] Implementation of negative trust anchors?

Daniel Kalchev daniel at digsys.bg
Fri Aug 23 13:33:28 UTC 2013

On 23.08.13 03:07, Vernon Schryver wrote:
>> From: Suzanne Woolf <woolf at isc.org>
>> I don't like it either, but it limits the damage done by a DNSSEC =
>> failure to status quo ante rather than something worse.
> That is mistaken.  You get the status quo ante by simply turning
> off validation.

It seems, discussions like this are the result of half-way implementing 
DNSSEC so far.

Thing is, today we mostly make use of DNSSEC validation at the 'large' 
caching resolver sites. Those are services, that serve lots of people 
and if someone has "any" problem, they do call. It is all too easy to 
point at DNSSEC and demand it ignored.

When/If we get to a more full DNSSEC deployment, where the validation 
happens on each individual end node, then each individual end user can 
make their own choice whether to validate or not, there won't be need 
for any such bypassing technologies at the service level and nobody's 
phone will ring for problems they did not create.

But in order to arrive at this level of deployment, we need to convince 
application developers that DNSSEC is already stable target. Inventing 
more and more knobs does not signal exactly that.
Of course, it will help having validating local resolvers in most major 
platforms :)


More information about the dns-operations mailing list