[dns-operations] Implementation of negative trust anchors?
jared at puck.nether.net
Fri Aug 23 17:04:38 UTC 2013
On Aug 22, 2013, at 3:59 PM, WBrown at e1b.org wrote:
> Running the DNS for 100+ school districts and 400,000+ devices, I really,
> REALLY don't want to be the one saying "Sorry, you can't use the site
> called for in your lesson plan today because they messed up the DNSSEC
> records." Management's response would be "Just make it work!"
> Without a per domain NTA, the only option would be to turn off DNSSEC,
> returning to square one.
I wanted to point out this is a semi-false premise. If you were dependent on the resources, you would be pulling circuits or hosting those sites in-house. I see this argument made about availability in an absolute sense and one can't control the entire ecosystem.
OpenDNS didn't just start charging enterprises because they could, they did it as a result of people realizing they were dependent on resources where they had no contractual relationship or SLA.
More information about the dns-operations