[dns-operations] Implementation of negative trust anchors?

David Conrad drc at virtualized.org
Fri Aug 23 14:47:36 UTC 2013


Vernon,

On Aug 22, 2013, at 5:07 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
> You get the status quo ante by simply turning off validation.

If the only solution to someone else screwing up signing is to turn off validation for all zones and the likelihood of someone screwing up signing scales with the number of folks signing, why bother ever turning validation on?

> On the contrary, NTA is a new tool for deliberately introducing new
> faults in the data you give your DNS clients.  It is a tool for lying
> to your DNS clients with data that you swear is valid and signed but
> that you know is at best unsigned and quite possibly invalid or worse.

True.  This is why I suspect corporate types will have hesitancy to use NTAs and wish to remove them as soon as possible.

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130823/00197e1b/attachment.sig>


More information about the dns-operations mailing list