[dns-operations] Implementation of negative trust anchors?

Scott Morizot tmorizot at sd.is.irs.gov
Fri Aug 23 21:56:04 UTC 2013


On 22 Aug 2013 at 14:37, Joe Abley wrote:
> If we accept that logic, then the pertinent questions is whether or
> not NTAs should be standardised (in a protocol or operational
> sense). I think the answer is yes. So do others. Some don't see
> value in it, but that's fine; nobody is *requiring* anybody to
> implement anything. 

If they are made a part of the standard, then the various DNS 
implementations will be expected (reasonably) to implement them. And they 
then become a standard operational tool, making DNSSEC little better than 
the current certificate process.

If recursive, caching nameserver operators have to roll their own 
implementation to achieve the goal, it keeps NTAs contained. Sure, some 
people will go to that trouble, but unless they have a well-defined 
reason to do so, most won't.

Scott




More information about the dns-operations mailing list