[dns-operations] Implementation of negative trust anchors?

Paul Vixie paul at redbarn.org
Fri Aug 23 17:03:25 UTC 2013

Ralf Weber wrote:
> There is huge difference between DNS outages caused by connectivity and DNSSEC caused outages. Without DNSSEC screwing up your domain so badly that it is unreachable is very very hard. With DNSSEC you make one small error and your domain goes dark for those who validate. Given that the cost of this is not on the domain owner, but instead on the service providers that validate. I think it is absolutely needed to give them a tool to minimize these costs (NTA).

as i've already said, NTA as a local policy is by definition OK with
everybody. that's why we call it a "local" policy.

but it's steeped in irony. the only reason NTA can be seen as a
responsible practice in the eyes of those who practice it is, the domain
owner who screwed up their signatures, will still get plenty of phone
calls, because NTA by definition won't have a wide spread impact.

i think the fact that nominum put NTA support into CNS for comcast shows
good business sense. as a nominum shareholder i applaud. any other DNS
supplier who wants to compete with nominum for comcast's business will
have this hill to climb first. kewl.

on the other hand i would not be glad to see NTA as an IETF RFC, FYI,
BCP, or other standards-like artifact.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130823/7c016c1e/attachment.html>

More information about the dns-operations mailing list