[dns-operations] Implementation of negative trust anchors?

Warren Kumari warren at kumari.net
Fri Aug 23 15:12:11 UTC 2013


On Aug 23, 2013, at 11:04 AM, "Carlos M. Martinez" <carlosm3011 at gmail.com> wrote:

> I'm _very_ torn on the issue. On one hand I fully agree with Patrik in
> the sense that documenting such practices could lead to widespread
> 'holes' in validation.
> 
> However, in my opinion the first knee jerk reaction of a recursive
> resolver operator will probably be 'if 1M clients of mine are unable to
> access kittenvideos.com due to a DNSSEC screewup, I will just disable
> it'. Maybe such operators, if presented with the possibility of having
> NTAs may chose to use that.
> 
> Again, I'm torn. I'm not sure what will work better in the real world,
> or produce the best outcomes in the long term.

All depends on if you actually want DNSSEC to be deployed or not.

If something like NTA (or some other way to override "obvious" DNSSEC screwups) didn't exist, do you *really* think that Comcast and 8.8.8.8 would be doing DNSSEC validation? Do you remember the fallout from the NASA screwup?

Simply telling your customers "Yes, I know that it worked fine from $competitor, but we do things better here, and so you cannot see "fluffy kitten chasing ball of yarn". It's for your own good, and it also teaches fkittenvideos.com to not suck so much…" doesn't cut it.

W
> 
> regards
> 
> ~Carlos
> 
> On 8/23/13 11:58 AM, David Conrad wrote:
>> On Aug 22, 2013, at 5:13 PM, Paul Vixie <paul at redbarn.org> wrote:
>>> Randy Bush wrote:
>>>> < from a conversation with a friend wiser than i >
>>>> 
>>>> the problem is that we are going through a deployment phase where there
>>>> is little penalty for sloppy server ops because so few are validating.
>>>> 
>>>> patching over this to be more tolerant of sloppy server ops is going in
>>>> the wrong direction.  ...
>>> 
>>> +1. we're currently debating placement of first mover advantage. today
>>> if you sign incorrectly you lose. with NTA at scale, if you sign
>>> incorrectly you won't lose.
>> 
>> Sure you will.
>> 
>> You screw up signing and you instantly lose.
>> 
>> NTA allows other folks to not lose with you if they decide the pain of your screwing up to them is sufficiently high to justify manual intervention.
>> 
>> Not everyone will make the same value judgement and they all won't make it at the same time.
>> 
>> Regards,
>> -drc
>> 
>> 
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 

-- 
Outside of a dog, a book is your best friend, and inside of a dog, it's too dark to read 





More information about the dns-operations mailing list