[dns-operations] Implementation of negative trust anchors?

David Conrad drc at virtualized.org
Fri Aug 23 14:39:06 UTC 2013

On Aug 22, 2013, at 5:06 PM, Paul Vixie <paul at redbarn.org> wrote:
> i just find it indescribable that a content owner who signs their zone as a means to protect themselves against corruption in their secondary servers, can have that tool taken out of their hands by a distant resolver operator who uses NTA to keep their own phone from ringing.

They already have that regardless of NTA.  In BIND configuration language it's:

dnssec-validation no;

NTA simply gives the resolver operator the ability to limit the damage to a single zone instead of ALL zones.

> what i would like in local policies like nta or dlv which seek to be distributed and scalable is,

A local policy pretty much by definition is not supposed to be distributed and scalable.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130823/2c9a7a01/attachment.sig>

More information about the dns-operations mailing list