[dns-operations] Implementation of negative trust anchors?
drc at virtualized.org
Fri Aug 23 18:24:47 UTC 2013
On Aug 23, 2013, at 9:02 AM, Vernon Schryver <vjs at rhyolite.com> wrote:
> Eyeball networks would be best served by turning off DNSSEC.
I believe this is what they're trying to avoid.
> Let's be honest and admit that talk about NTA today and tommorow (as
> opposed to last year) is really a statement of regret about DNSSEC and
> a demand that DNSSEC just go away.
If this were the case, it is much easier to just put
in configurations and let others get the arrows in the back.
> } > On the contrary, NTA is a new tool for deliberately introducing new
> } > faults in the data you give your DNS clients.
> } True. This is why I suspect corporate types will have hesitancy to use =
> } NTAs and wish to remove them as soon as possible.
> On the contrary, given minimal cover such as an RFC,
RFCs provide no cover. If a validator operator sets an NTA and their customers are compromised by an attack that would have otherwise been prevented by DNSSEC, I strongly suspect the validator operator will have set themselves up for an interesting set of meetings with their customers' lawyers.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the dns-operations