[dns-operations] Implementation of negative trust anchors?
Scott Morizot
tmorizot at sd.is.irs.gov
Sat Aug 24 00:21:22 UTC 2013
On 23 Aug 2013 at 19:54, UFJORw== wrote:
> NTA is a way to turn off DNSSEC for a single domain instead of
> having to go completely insecure, like some did a few days ago
> during the gov algorihm rollover screw up (BTW shutting DNSSEC
> validation down to have at least their own domain working was not
> the best thing to do: temporarily adding their own KSK to the list
> of trust anchors was the way to go (as the most specific key is
> prefered by all implementations i know of (despite the stupidity
> that is written here : http://tools.ietf.org/html/rfc6840#appendix-C
> )))
Ummm. No. Not all of our domains are necessarily signed or in a signed
tree. The .gov screw-up broke secure and insecure delegations from .gov.
I considered all this as I watched the .gov DNSKEY RRSet TTL count down
in those caches which still had it before recommending we disable
validation until it could be corrected.
Having your TLD screw up DNSSEC validation is particularly bad...
Scott
More information about the dns-operations
mailing list