[dns-operations] Implementation of negative trust anchors?

Evan Hunt each at isc.org
Fri Aug 23 17:14:44 UTC 2013

On Fri, Aug 23, 2013 at 04:02:47PM +0000, Vernon Schryver wrote:
> On the contrary, given minimal cover such as an RFC, corporate types
> at eyeball networks will mandate add-only NTA lists that only grow and
> never lose entries.

Obviously that's possible, but IIRC the draft requires that NTA entries
have limited (and short) lifetimes.

If we decide to implement this in BIND (it's on our roadmap, but with a
question mark), I expect the NTA lifetime will default to an hour and be
capped at a day.  NTAs would be inserted via the control channel (rndc)
rather than a configuration file change, and wouldn't persist across
system restarts.  An operator could write a script to continually
insert the same NTA's over and over again forever, but it would be
easier to allow them to lapse as intended.

I was against NTAs when they were first proposed; I've come around.
Disabling validation because of signing failures is the wrong thing
to do, but people are going to do the wrong thing whether I like
it or not, and if we must choose between evils, I prefer "rndc
validation off nasa.gov" to "rndc validation off".

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the dns-operations mailing list