[dns-operations] Implementation of negative trust anchors?
tmorizot at sd.is.irs.gov
Fri Aug 23 21:56:04 UTC 2013
On 22 Aug 2013 at 14:37, Joe Abley wrote:
> If we accept that logic, then the pertinent questions is whether or
> not NTAs should be standardised (in a protocol or operational
> sense). I think the answer is yes. So do others. Some don't see
> value in it, but that's fine; nobody is *requiring* anybody to
> implement anything.
If they are made a part of the standard, then the various DNS
implementations will be expected (reasonably) to implement them. And they
then become a standard operational tool, making DNSSEC little better than
the current certificate process.
If recursive, caching nameserver operators have to roll their own
implementation to achieve the goal, it keeps NTAs contained. Sure, some
people will go to that trouble, but unless they have a well-defined
reason to do so, most won't.
More information about the dns-operations