[dns-operations] Implementation of negative trust anchors?
WBrown at e1b.org
WBrown at e1b.org
Fri Aug 23 17:27:32 UTC 2013
> From: Joe Abley <jabley at hopcount.ca>
> When there is sufficient validation in the world that the support
> costs of signing errors shift from validator operators to zone
> publishers, it seems reasonable to predict that any words on NTAs
> will become useless naturally, on their own. That seems far more
> likely than the outcome where validator operators continue to deploy
> NTAs (at their own cost) for no reason.
I don't think and resolver operator will ever be adding NTA willy-nilly.
But when there is good reason (see past example re: lesson plans) such a
tool is helpful. As sites improve their signing procedures, they will be
needed less and less.
Once DNSSEC becomes nearly universal, browsers will start to warn of
unsigned DNS data. And people that care will start to look for their
browser to indicate DNSSEC validity, just as they look for the SSL
indicators now when going to sites they expect to be secured. This is
already available via plug-ins for some browsers.
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
More information about the dns-operations
mailing list