[dns-operations] Implementation of negative trust anchors?

David Conrad drc at virtualized.org
Fri Aug 23 18:46:12 UTC 2013


Vernon,

On Aug 23, 2013, at 11:10 AM, Vernon Schryver <vjs at rhyolite.com> wrote:
> They would be better served by `rndc validation off X hours` with 
> a limit on the "X hours" of 24 than any sort of NTA hook.

So, because one zone messes up signing, instead of opening up that one zone to spoofing attack you think it is better the resolver operator opens up all zones to spoofing attack?

This seems wrong to me.

> If you don't let them to use `rndc validation off X hours`, most will
> use `rndc nta gov` because their users will be shouting about governement
> web site problems and they won't have the time, inclination, or
> permission to discover that it's only the apod.nasa.gov.

I'd suggest that in the BCP/RFC/whatever, in addition to recommending that NTAs be time capped and not written to permanent storage, it should also recommend NTAs be written as specifically as possible.  (Should be obvious, but doesn't hurt to reiterate I suppose).

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130823/223bd46f/attachment.sig>


More information about the dns-operations mailing list