[dns-operations] Implementation of negative trust anchors?

David Conrad drc at virtualized.org
Fri Aug 23 14:58:41 UTC 2013


On Aug 22, 2013, at 5:13 PM, Paul Vixie <paul at redbarn.org> wrote:
> Randy Bush wrote:
>> < from a conversation with a friend wiser than i >
>> 
>> the problem is that we are going through a deployment phase where there
>> is little penalty for sloppy server ops because so few are validating.
>> 
>> patching over this to be more tolerant of sloppy server ops is going in
>> the wrong direction.  ...
> 
> +1. we're currently debating placement of first mover advantage. today
> if you sign incorrectly you lose. with NTA at scale, if you sign
> incorrectly you won't lose.

Sure you will.

You screw up signing and you instantly lose.

NTA allows other folks to not lose with you if they decide the pain of your screwing up to them is sufficiently high to justify manual intervention.

Not everyone will make the same value judgement and they all won't make it at the same time.

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130823/2cc9cbad/attachment.sig>


More information about the dns-operations mailing list