[dns-operations] Implementation of negative trust anchors?

Daniel Kalchev daniel at digsys.bg
Fri Aug 23 16:52:59 UTC 2013


On 23.08.13 18:12, Warren Kumari wrote:
> On Aug 23, 2013, at 11:04 AM, "Carlos M. Martinez" <carlosm3011 at gmail.com> wrote:
>
>> I'm _very_ torn on the issue. On one hand I fully agree with Patrik in
>> the sense that documenting such practices could lead to widespread
>> 'holes' in validation.
>>
>> However, in my opinion the first knee jerk reaction of a recursive
>> resolver operator will probably be 'if 1M clients of mine are unable to
>> access kittenvideos.com due to a DNSSEC screewup, I will just disable
>> it'. Maybe such operators, if presented with the possibility of having
>> NTAs may chose to use that.
>>
>> Again, I'm torn. I'm not sure what will work better in the real world,
>> or produce the best outcomes in the long term.
> All depends on if you actually want DNSSEC to be deployed or not.
>
> If something like NTA (or some other way to override "obvious" DNSSEC screwups) didn't exist, do you *really* think that Comcast and 8.8.8.8 would be doing DNSSEC validation? Do you remember the fallout from the NASA screwup?
>

Nobody has ever questioned that there is need for local policy 
overrides. Everyone's needs are served differently.
Then, maintaining NTAs incurs high manual costs. Not everybody will 
agree to bear that costs.

Most ISP's DNS "operations" are just as clueless/careless as those 
breaking their DNS setups. NTAs are not solutions for these, because 
they won't bother with it either.

The obvious question is, do we want to codify this in BCP or even worse 
standards document?

Daniel



More information about the dns-operations mailing list