[dns-operations] Implementation of negative trust anchors?

[David Conrad]

On Aug 22, 2013, at 3:25 PM, Paul Vixie <paul at redbarn.org> wrote:
>>> A resolver operator deploying an NTA is making an assertion that data behind a name is safe despite protocol indications that is may not be.
>> Where is that stated? I ask, because it would seem that a better description would be that they are asserting that the data behind a name is unprotected by DNSSSEC.
> agreed, and that's why, over and above the absurd engineering economics behind it, i don't like NTA. if my signatures don't work because i've been attacked (for example, one of my name servers has been compromised), the last thing i'd want is comcast telling their customers that the data they're getting from my compromised name server is ok to consume because it's unsigned.

Exactly so.  However pragmatically speaking if someone (say NASA perhaps?) screws up signing their zone, it isn't the zone-signing-screwer-upper that gets the phone calls, it is the eyeball networks that are doing the validation.  Without NTA, the eyeball network operators have a choice, eat the cost of those calls or turn off validation _for ALL signed zones until the zone-signing-screwer-upper fixes their problem_.

I gather you believe eating the cost is the right answer.  

> madness test: would we have bothered with DNSSEC at all, back in the day, if NTA had been known as a definite requirement?

Sure.

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130823/d3ba1b54/attachment.sig>