[dns-operations] Implementation of negative trust anchors?

Phil Regnauld regnauld at nsrc.org
Fri Aug 23 23:29:51 UTC 2013

David Conrad (drc) writes:
> I'd suggest that in the BCP/RFC/whatever, in addition to recommending that NTAs be time capped and not written to permanent storage, it should also recommend NTAs be written as specifically as possible.  (Should be obvious, but doesn't hurt to reiterate I suppose).

	What's wrong with "provide unvalidated results for this zone
	until it validates" ? I mean, we're now talking about automation,
	scripts to reinsert NTAs, etc. Then we might as well implement
	the logic to continually test validation for SOA or some other
	specified record for the given zone, and reenable validation.

	So instead of calling it NTA call it validation policy - the DNSSEC
	equivalent of IPSEC's "required" vs. "use" policy setting. Yes, we
	all know how succesful opportunistic encryption was. Yes, some are
	going to scream, but much better than nailing down an NTA ad vitam,
	or tracking TTLs, or which DS is active, or...

More information about the dns-operations mailing list