[dns-operations] Implementation of negative trust anchors?
UFJORw at gmail.com
Fri Aug 23 17:54:27 UTC 2013
On Fri, Aug 23, 2013 at 01:27:32PM -0400, WBrown at e1b.org wrote:
> Once DNSSEC becomes nearly universal, browsers will start to warn of
> unsigned DNS data. And people that care will start to look for their
> browser to indicate DNSSEC validity, just as they look for the SSL
> indicators now when going to sites they expect to be secured. This is
> already available via plug-ins for some browsers.
Once the browser vendors will have a clue/give a shit about DNSSEC, I bet they will add a shiny little button "let me in" which will repeat the query with the CD bit set, just like they did with TLS certificate validation exceptions.
Or worse, they will set up a centralized database of pseudo-NTA like they have built the safebrowsing blacklist.
NTA is a way to turn off DNSSEC for a single domain instead of having to go completely insecure, like some did a few days ago during the gov algorihm rollover screw up (BTW shutting DNSSEC validation down to have at least their own domain working was not the best thing to do: temporarily adding their own KSK to the list of trust anchors was the way to go (as the most specific key is prefered by all implementations i know of (despite the stupidity that is written here : http://tools.ietf.org/html/rfc6840#appendix-C )))
More information about the dns-operations