[dns-operations] Implementation of negative trust anchors?

Frank Habicht geier at geier.ne.tz
Sat Aug 24 04:26:11 UTC 2013


On 8/23/2013 11:56 PM, Joe Abley wrote:
> Experience shared by Comcast and Google suggests that NTAs are
> necessary for validation on a large scale. However, Comcast and Google
> are engaged and have the resources to do the right thing; small
> resolver operators are generally not engaged and have fewer resources
> available to deal with support-loading (churn-enhancing,
> profit-harming) problems whose origins are elsewhere. They are far
> more likely to be guided by (a) the hooks available in their software
> and (b) the kind of rumour mill that came up with "block ICMP for
> security reasons".
> Reasoned guidance from the IETF at best would improve (a) and decrease
> the incidence of (b). At worst, it would do no harm.

Decreasing the pain to the zone editor considered harmful.

We live in a world where the big ones mentioned have and will have NTAs.
Otherwise they wouldn't do any validation.

The suggestion is to spread these tools to more and more resolver
operators. This will directly remove pain to the zone editors doing the
original mistakes. editors will continue to do mistakes. NTA will be there
for ever. Dislike.
Seems it's a crossroads now. do we tell the resolver operators to
fix-by-workaround broken zones, or do we tell editors to be more serious
and from now they MUST get it right.
To do both would be sending mixed signals.

at resource-starved isp still doing neither (signing|validating)

More information about the dns-operations mailing list