[dns-operations] Implementation of negative trust anchors?
regnauld at nsrc.org
Fri Aug 23 23:29:51 UTC 2013
David Conrad (drc) writes:
> I'd suggest that in the BCP/RFC/whatever, in addition to recommending that NTAs be time capped and not written to permanent storage, it should also recommend NTAs be written as specifically as possible. (Should be obvious, but doesn't hurt to reiterate I suppose).
What's wrong with "provide unvalidated results for this zone
until it validates" ? I mean, we're now talking about automation,
scripts to reinsert NTAs, etc. Then we might as well implement
the logic to continually test validation for SOA or some other
specified record for the given zone, and reenable validation.
So instead of calling it NTA call it validation policy - the DNSSEC
equivalent of IPSEC's "required" vs. "use" policy setting. Yes, we
all know how succesful opportunistic encryption was. Yes, some are
going to scream, but much better than nailing down an NTA ad vitam,
or tracking TTLs, or which DS is active, or...
More information about the dns-operations