[dns-operations] Implementation of negative trust anchors?

Ralf Weber Ralf.Weber at nominum.com
Fri Aug 23 16:57:45 UTC 2013


On 23.08.2013, at 09:19, Paul Vixie <paul at redbarn.org> wrote:
> if nasa.gov had screwed up its delegation or had allowed its public secondary servers to expire the zone due to primary unreachability, i do not think the phone at comcast would have rung less, but i also don't think that comcast would have fixed nasa's error in local policy. we're only talking about this because DNSSEC is new.
There is huge difference between DNS outages caused by connectivity and DNSSEC caused outages. Without DNSSEC screwing up your domain so badly that it is unreachable is very very hard. With DNSSEC you make one small error and your domain goes dark for those who validate. Given that the cost of this is not on the domain owner, but instead on the service providers that validate. I think it is absolutely needed to give them a tool to minimize these costs (NTA).

So long
Ralf Weber
Senior Infrastructure Architect
Nominum Inc.
o: +49 6446 4392053
m: +49 151 22659325
u: +1 650 817 5895
ralf.weber at nominum.com

More information about the dns-operations mailing list