[dns-operations] Implementation of negative trust anchors?

Scott Morizot tmorizot at sd.is.irs.gov
Sat Aug 24 00:21:22 UTC 2013


On 23 Aug 2013 at 19:54, UFJORw== wrote:
> NTA is a way to turn off DNSSEC for a single domain instead of
> having to go completely insecure, like some did a few days ago
> during the gov algorihm rollover screw up (BTW shutting DNSSEC
> validation down to have at least their own domain working was not
> the best thing to do: temporarily adding their own KSK to the list
> of trust anchors was the way to go (as the most specific key is
> prefered by all implementations i know of (despite the stupidity
> that is written here : http://tools.ietf.org/html/rfc6840#appendix-C
> ))) 

Ummm. No. Not all of our domains are necessarily signed or in a signed 
tree. The .gov screw-up broke secure and insecure delegations from .gov. 
I considered all this as I watched the .gov DNSKEY RRSet TTL count down 
in those caches which still had it before recommending we disable 
validation until it could be corrected.

Having your TLD screw up DNSSEC validation is particularly bad...

Scott



More information about the dns-operations mailing list