[dns-operations] Implementation of negative trust anchors?
Ralf.Weber at nominum.com
Mon Aug 26 11:18:37 UTC 2013
On 26 Aug 2013, at 08:16, Randy Bush <randy at psg.com> wrote:
> an american idiom is "keep your eye on the doughnut not the hole." this NTA discussion focuses on the wrong thing.
> why is the frelling software on the farbled server not detecting that is has been farbled and screaming loudly? why is it not preventing most of these farblings in the first place? when mongolia tried to change key [alg] to one that was not in the root, their software should not have done it.
> fix the software and the ops processes. do not patch over the problems or they will increase. the problem is weak software and processes that need to be fixed, and patching and denial will not fix them.
I fully agree with you on better software and better processes, and better monitoring tools, etc. However keep in mind that the people deploying resolvers are not the people signing the zones. So what would your advise be to the people running resolvers/validators?
More information about the dns-operations