[dns-operations] Implementation of negative trust anchors?

Vernon Schryver vjs at rhyolite.com
Fri Aug 23 17:51:19 UTC 2013

> From: Evan Hunt <each at isc.org>

> > On the contrary, given minimal cover such as an RFC, corporate types
> > at eyeball networks will mandate add-only NTA lists that only grow and
> > never lose entries.
> Obviously that's possible, but IIRC the draft requires that NTA entries
> have limited (and short) lifetimes.

HAH!  If RFCs were Law, then the DNSSEC RFCs would have long
since answered any question about NTA as "ABSOLUTE NEVER!"
In the real world, RFCs are no more or less than hints on what
to do to minimize complaints and sanctified excuses for doing
what you want to do anyway.

> If we decide to implement this in BIND (it's on our roadmap, but with a
> question mark), I expect the NTA lifetime will default to an hour and be
> capped at a day.  NTAs would be inserted via the control channel (rndc)
> rather than a configuration file change, and wouldn't persist across
> system restarts.  An operator could write a script to continually
> insert the same NTA's over and over again forever, but it would be
> easier to allow them to lapse as intended.

I agree that's not nearly as evil as NTAs in a configuration file,

or a cron script that runs every 30 minutes and does a few 100K
`rndc nta` commands to fix that problem that someone reported
year before last in the .gov signatures,
and protect the advertising revenue from those typosquatted domains.

> I was against NTAs when they were first proposed; I've come around.
> Disabling validation because of signing failures is the wrong thing
> to do, but people are going to do the wrong thing whether I like
> it or not, and if we must choose between evils, I prefer "rndc
> validation off nasa.gov" to "rndc validation off".

On the contrary, in the real world this year, the people using
`rndc nta` will decide after the 42th time in 48 hours of renewing
the protection for the .gov problem
(not counting the 6 renewals that should have been done between
01:00 and 03:00 when the people empowered to use `rndc nta` were asleep)
to either `echo "rndc nta nasa" >>nta-cron-script` or 
`rndc validation off`.

Next year, those empowered peole will be tired of diagnosing DNSSEC
problems and arguing with their bosses about value of DNSSEC.
They'll give second-line support a button to push that does
`echo "rndc nta $1" >>nta-cron-script`.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list