[dns-operations] Implementation of negative trust anchors?

Ralf Weber Ralf.Weber at nominum.com
Mon Aug 26 05:27:36 UTC 2013


MoiN!

On 24 Aug 2013, at 06:26, Frank Habicht <geier at geier.ne.tz> wrote:
>  8/23/2013 11:56 PM, Joe Abley wrote:
>> profit-harming) problems whose origins are elsewhere. They are far
>> more likely to be guided by (a) the hooks available in their software
>> and (b) the kind of rumour mill that came up with "block ICMP for
>> security reasons".
>> 
>> Reasoned guidance from the IETF at best would improve (a) and decrease
>> the incidence of (b). At worst, it would do no harm.
> 
> Decreasing the pain to the zone editor considered harmful.
That's not what is intended and if you read 
	https://datatracker.ietf.org/doc/draft-livingood-negative-trust-anchors/
section 7 clearly states responsibilities for the problems.

> We live in a world where the big ones mentioned have and will have NTAs.
> Otherwise they wouldn't do any validation.
And the draft tries to document reasonable operational practices for them which if such a draft didn't exists everybody would do on there own with maybe not so good results. We already had cases where large operators stopped validation after the first incident and haven't gone back since.

> The suggestion is to spread these tools to more and more resolver
> operators.
The suggestion is to document what to do if someone decides to use NTA, the tools are already there and will be use regardless if we document their proper usage or not. 

> This will directly remove pain to the zone editors doing the
> original mistakes. editors will continue to do mistakes. NTA will be there
> for ever. Dislike.
Not documenting something doesn't make it go away (see NAT). It just makes it harder to interoperate.

> Seems it's a crossroads now. do we tell the resolver operators to
> fix-by-workaround broken zones, or do we tell editors to be more serious
> and from now they MUST get it right.
> To do both would be sending mixed signals.
IMHO if we only tell zone editors to do the right thing, and resolver operators to just take the hit some zone operators will still not get it right and we will not get widespread adoption of DNSSEC in the resolver space. 

> Frank
> at resource-starved isp still doing neither (signing|validating)
Well think about what would make your bosses do it and what your responses to them in the case of problems would be.

So long
-Ralf






More information about the dns-operations mailing list