[dns-operations] Implementation of negative trust anchors?

[WBrown at e1b.org]

> From: Joe Abley <jabley at hopcount.ca>

> When there is sufficient validation in the world that the support 
> costs of signing errors shift from validator operators to zone 
> publishers, it seems reasonable to predict that any words on NTAs 
> will become useless naturally, on their own. That seems far more 
> likely than the outcome where validator operators continue to deploy
> NTAs (at their own cost) for no reason.

I don't think and resolver operator will ever be adding NTA willy-nilly. 
But when there is good reason (see past example re: lesson plans) such a 
tool is helpful.  As sites improve their signing procedures, they will be 
needed less and less.

Once DNSSEC becomes nearly universal, browsers will start to warn of 
unsigned DNS data.  And people that care will start to look for their 
browser to indicate DNSSEC validity, just as they look for the SSL 
indicators now when going to sites they expect to be secured.  This is 
already available via plug-ins for some browsers.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.