[dns-operations] Implementation of negative trust anchors?

Jared Mauch jared at puck.nether.net
Fri Aug 23 17:04:38 UTC 2013


On Aug 22, 2013, at 3:59 PM, WBrown at e1b.org wrote:

> Running the DNS for 100+ school districts and 400,000+ devices, I really, 
> REALLY don't want to be the one saying "Sorry, you can't use the site 
> called for in your lesson plan today because they messed up the DNSSEC 
> records."  Management's response would be "Just make it work!"
> 
> Without a per domain NTA, the only option would be to turn off DNSSEC, 
> returning to square one.

I wanted to point out this is a  semi-false premise.  If you were dependent on the resources, you would be pulling circuits or hosting those sites in-house.  I see this argument made about availability in an absolute sense and one can't control the entire ecosystem.

OpenDNS didn't just start charging enterprises because they could, they did it as a result of people realizing they were dependent on resources where they had no contractual relationship or SLA.

- Jared


More information about the dns-operations mailing list