[dns-operations] Implementation of negative trust anchors?

Vernon Schryver vjs at rhyolite.com
Fri Aug 23 18:10:04 UTC 2013

> From: Evan Hunt <each at isc.org>

> it or not, and if we must choose between evils, I prefer "rndc
> validation off nasa.gov" to "rndc validation off".


} A document that advised limits on the use of NTAs -- for example, the
} recommendation in Jason's draft that they not persist for more than
} a day -- would be okay by me.

On second thought,

Consider the situations of resolver operators confronted with a
situation where you might use `rndc nta`.  Almost all of them will
(and even now most) lack the expertise, time, inclination to
figure out which domain to hit with `rnd nta sub.dom.example.com`.
They'll only know (or hope) that the irate phone calls from principals
about broken lesson plans are related to DNSSEC problems.

They would be better served by `rndc validation off X hours` with 
a limit on the "X hours" of 24 than any sort of NTA hook.

If you don't let them to use `rndc validation off X hours`, most will
use `rndc nta gov` because their users will be shouting about governement
web site problems and they won't have the time, inclination, or
permission to discover that it's only the apod.nasa.gov.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list