[dns-operations] Implementation of negative trust anchors?

Joe Abley jabley at hopcount.ca
Fri Aug 23 20:56:08 UTC 2013

On 2013-08-23, at 15:14, Vernon Schryver <vjs at rhyolite.com> wrote:

> I can't believe you're seriously suggesting that words in any IETF
> document telling people to use narrow NTAs would have any effect
> on resolver operators.

Personally, my hope is that such words would provide guidance to
software vendors, to constrain resolver operators with sensible
mechanisms that solve specific problems narrowly.

Experience shared by Comcast and Google suggests that NTAs are
necessary for validation on a large scale. However, Comcast and Google
are engaged and have the resources to do the right thing; small
resolver operators are generally not engaged and have fewer resources
available to deal with support-loading (churn-enhancing,
profit-harming) problems whose origins are elsewhere. They are far
more likely to be guided by (a) the hooks available in their software
and (b) the kind of rumour mill that came up with "block ICMP for
security reasons".

Reasoned guidance from the IETF at best would improve (a) and decrease
the incidence of (b). At worst, it would do no harm.


More information about the dns-operations mailing list