[dns-operations] Implementation of negative trust anchors?
regnauld at nsrc.org
Mon Aug 26 11:40:42 UTC 2013
On 26/08/2013, at 13.18, Ralf Weber <Ralf.Weber at nominum.com> wrote:
> So what would your advise be to the people running resolvers/validators?
Currently validating resolvers suffer from an additional and different set of configuration mistakes from those that don't validate. Arguably if everyone validated then it wouldn't matter if foo.com failed because they fumbled the DS or failed to pay for renewal. At that stage, It's Their Problem, Not Yours because everyone on the resolver side experiences the same problem (give or take $ttl just like in insecure DNS). So get everyone else to validate so we're all in the same boat :)
Humor aside, I agree better automated processes would help - although today no software helps you prevent mismatched parent and child delegations, for instance. But dnssec IS more complicated, and more automation (and policy enforcement - here I'm looking at opendnssec) will certainly help. In the meantime...
... Will NTAs delay adoption of validation or speed it up thanks to the warm fuzzy feeling?
More information about the dns-operations