[dns-operations] Implementation of negative trust anchors?

Vernon Schryver vjs at rhyolite.com
Fri Aug 23 16:02:47 UTC 2013

> From: David Conrad <drc at virtualized.org>

> Exactly so.  However pragmatically speaking if someone (say NASA =
> perhaps?) screws up signing their zone, it isn't the =
> zone-signing-screwer-upper that gets the phone calls, it is the eyeball =
> networks that are doing the validation.  Without NTA, the eyeball =
> network operators have a choice, eat the cost of those calls or turn off =
> validation _for ALL signed zones until the zone-signing-screwer-upper =
> fixes their problem_.
> I gather you believe eating the cost is the right answer. =20

YES!  Eyeball networks are paid by their customers to act as
pre-front-line support for bad DNS delegations, broken HTTP servers,
and all other content provider problems.

Saying otherwise for any of the services sold by eyeball networks is
another step down the slope toward content providers paying eyeball
networks for eyeballs and the conversion of the Internet into what it
was in about 1965 when it was owned by Ma Bell and the three television

Of course, it wasn't called the Internet, but it was the contemporary
equivalent.  I was around for the Carterphone decision and the incredible
freedom to connect computers that followed "soon" after (in about 15
years--remember DAAs?).  I was also around to see the ARPANET use
56kbps leased lines that were not only incredibly slow but required
incredible massaging of Ma Bell bureaucrats who required you to admit
who was in really charge of your business.  (I was at TIP-25 at DOCB)


} From: David Conrad <drc at virtualized.org>

} Vernon,

} If the only solution to someone else screwing up signing is to turn off =
} validation for all zones and the likelihood of someone screwing up =
} signing scales with the number of folks signing, why bother ever turning =
} validation on?

Eyeball networks would be best served by turning off DNSSEC.  Comcast
not withstanding, DNSSEC does nothing to help their bottom lines.

Let's be honest and admit that talk about NTA today and tommorow (as
opposed to last year) is really a statement of regret about DNSSEC and
a demand that DNSSEC just go away.  If you honestly believe in DNSSEC's
promise of letting me sign my zones, then you must also let me mess
them up.  Essentially none who will use NTA will have any inkling
whether bad signatures on my zones reflect my incompetence or actions
of my (and or their) enemies.

Many of us here now can and are happy to make good guesses about whether
a DNSSEC failure is due to zone operator error or enemy action, but
that won't be true of most future NTA users, including big outfits.
I read the thinness of http://dns.comcast.net/ as saying that Comcast,
that major NTA supporter, has not only given up trying to diagnose
other people's DNSSEC problems but quietly shelved NTA.

} > On the contrary, NTA is a new tool for deliberately introducing new
} > faults in the data you give your DNS clients.

} True.  This is why I suspect corporate types will have hesitancy to use =
} NTAs and wish to remove them as soon as possible.

On the contrary, given minimal cover such as an RFC, corporate types
at eyeball networks will mandate add-only NTA lists that only grow and
never lose entries.  They'll say politically correct things about
DNSSEC but use NTA to minimize support costs and maximize profits from
activies that are incompatible with DNSSEC such as typosquatting.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list