[dns-operations] Implementation of negative trust anchors?

David Conrad drc at virtualized.org
Fri Aug 23 18:24:47 UTC 2013


On Aug 23, 2013, at 9:02 AM, Vernon Schryver <vjs at rhyolite.com> wrote:
> Eyeball networks would be best served by turning off DNSSEC.  

I believe this is what they're trying to avoid.

> Let's be honest and admit that talk about NTA today and tommorow (as
> opposed to last year) is really a statement of regret about DNSSEC and
> a demand that DNSSEC just go away.  

If this were the case, it is much easier to just put 

dnssec-validation no;

in configurations and let others get the arrows in the back.

> } > On the contrary, NTA is a new tool for deliberately introducing new
> } > faults in the data you give your DNS clients.
> } True.  This is why I suspect corporate types will have hesitancy to use =
> } NTAs and wish to remove them as soon as possible.
> On the contrary, given minimal cover such as an RFC,

RFCs provide no cover.  If a validator operator sets an NTA and their customers are compromised by an attack that would have otherwise been prevented by DNSSEC, I strongly suspect the validator operator will have set themselves up for an interesting set of meetings with their customers' lawyers.

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130823/6729f091/attachment.sig>


More information about the dns-operations mailing list