[dns-operations] Implementation of negative trust anchors?

Carlos M. Martinez carlosm3011 at gmail.com
Fri Aug 23 15:04:43 UTC 2013

I'm _very_ torn on the issue. On one hand I fully agree with Patrik in
the sense that documenting such practices could lead to widespread
'holes' in validation.

However, in my opinion the first knee jerk reaction of a recursive
resolver operator will probably be 'if 1M clients of mine are unable to
access kittenvideos.com due to a DNSSEC screewup, I will just disable
it'. Maybe such operators, if presented with the possibility of having
NTAs may chose to use that.

Again, I'm torn. I'm not sure what will work better in the real world,
or produce the best outcomes in the long term.



On 8/23/13 11:58 AM, David Conrad wrote:
> On Aug 22, 2013, at 5:13 PM, Paul Vixie <paul at redbarn.org> wrote:
>> Randy Bush wrote:
>>> < from a conversation with a friend wiser than i >
>>> the problem is that we are going through a deployment phase where there
>>> is little penalty for sloppy server ops because so few are validating.
>>> patching over this to be more tolerant of sloppy server ops is going in
>>> the wrong direction.  ...
>> +1. we're currently debating placement of first mover advantage. today
>> if you sign incorrectly you lose. with NTA at scale, if you sign
>> incorrectly you won't lose.
> Sure you will.
> You screw up signing and you instantly lose.
> NTA allows other folks to not lose with you if they decide the pain of your screwing up to them is sufficiently high to justify manual intervention.
> Not everyone will make the same value judgement and they all won't make it at the same time.
> Regards,
> -drc
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list