[dns-operations] Implementation of negative trust anchors?

David Conrad drc at virtualized.org
Fri Aug 23 18:34:00 UTC 2013

On Aug 23, 2013, at 9:19 AM, Paul Vixie <paul at redbarn.org> wrote:
> if nasa.gov had screwed up its delegation or had allowed its public secondary servers to expire the zone due to primary unreachability, i do not think the phone at comcast would have rung less, but i also don't think that comcast would have fixed nasa's error in local policy.

That's because every resolver operator would have been affected, not just Comcast, so the screams that Comcast (alone) was censoring NASA for <conspiracy theory du jour) would have been trivially dismissed.

If you want a reminder of the stupidity Comcast (alone AFAIK) experienced, see http://nasawatch.com/archives/2012/01/comcast-blocks.html

> we're only talking about this because DNSSEC is new.

Of course. NTA is a mechanism that allows folks who want to do the right thing to do so without incurring costs that folks who aren't interested in doing the right thing won't incur.  As more folks start validating, the playing field levels out and the need for NTA decreases.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130823/7552dcfd/attachment.sig>

More information about the dns-operations mailing list