[dns-operations] Implementation of negative trust anchors?

Vernon Schryver vjs at rhyolite.com
Fri Aug 23 19:13:35 UTC 2013

> From: David Conrad <drc at virtualized.org>

> > They would be better served by `rndc validation off X hours` with=20
> > a limit on the "X hours" of 24 than any sort of NTA hook.
> So, because one zone messes up signing, instead of opening up that one =
> zone to spoofing attack you think it is better the resolver operator =
> opens up all zones to spoofing attack?
> This seems wrong to me.

It's wrong only if you accept the false choice between validation off
and a targeted NTA.  We're talking about *resolver* server operators,
not authority operators or IETF participants.

Big resolver server operators not selling resolution will not bother
figuring things out.  They'll ignore complaints, send users chasing
whois phone numbers, or turn off DNSSEC.  They don't have time or
permission to diagnose other people's DNSSEC problems enough to use
NTA correctly.  See the Comcast web page for proof of that.

The resolver servers selling resolutions will use NTA correctly,
but they already have NTA and don't care about opinions from peanut
galleries including the IETF.

The majority of resolver server operators will not use NTA more
than a half a dozen times.  Then they'll treat DNSSEC errors
like bad delegations or use one form or another of "validation off"
including NTA as close to the root as they can go.  The best bet to
keep them from a static "validation off" is an automatically
sunsetting form.

> I'd suggest that in the BCP/RFC/whatever, in addition to recommending =
> that NTAs be time capped and not written to permanent storage, it should =
> also recommend NTAs be written as specifically as possible.

Yes, that transient NTA a good idea I'd not heard/noticed/understood
until today, but it does not redeem NTA.  

I can't believe you're seriously suggesting that words in any IETF
document telling people to use narrow NTAs would have any effect
on resolver operators.

Practically no one who might use any NTA hook will understand or
(be allowed to) care enough to figure out to hit cnn.co.uk instead
of cnn.com.  Of necessity they'll just keep hitting the NTA button
with semi-random domains until the calls stop.  The wise ones will
go straight as high as they can, functionally to "validation off".

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list