[dns-operations] Implementation of negative trust anchors?

Phil Regnauld regnauld at nsrc.org
Mon Aug 26 11:40:42 UTC 2013

On 26/08/2013, at 13.18, Ralf Weber <Ralf.Weber at nominum.com> wrote:

> So what would your advise be to the people running resolvers/validators?

Currently validating resolvers suffer from an additional and different set of configuration mistakes from those that don't validate. Arguably if everyone validated then it wouldn't matter if foo.com failed because they fumbled  the DS or failed to pay for renewal. At that stage, It's Their Problem, Not Yours because everyone on the resolver side experiences the same problem (give or take $ttl just like in insecure DNS).  So get everyone else to validate so we're all in the same boat :)

Humor aside, I agree better automated processes would help - although today no software helps you prevent  mismatched parent and child delegations, for instance. But dnssec IS more complicated, and more automation (and policy enforcement - here I'm looking at opendnssec) will certainly help. In the meantime...

... Will NTAs delay adoption of validation or speed it up thanks to the warm fuzzy feeling?


More information about the dns-operations mailing list