[dns-operations] Implementation of negative trust anchors?

Suzanne Woolf woolf at isc.org
Mon Aug 26 11:49:30 UTC 2013


On Aug 26, 2013, at 7:40 AM, Phil Regnauld <regnauld at nsrc.org> wrote:

> 
> 
> On 26/08/2013, at 13.18, Ralf Weber <Ralf.Weber at nominum.com> wrote:
> 
>> So what would your advise be to the people running resolvers/validators?
> 
> Currently validating resolvers suffer from an additional and different set of configuration mistakes from those that don't validate. Arguably if everyone validated then it wouldn't matter if foo.com failed because they fumbled  the DS or failed to pay for renewal. At that stage, It's Their Problem, Not Yours because everyone on the resolver side experiences the same problem (give or take $ttl just like in insecure DNS).  So get everyone else to validate so we're all in the same boat :)
> 
> Humor aside, I agree better automated processes would help - although today no software helps you prevent  mismatched parent and child delegations, for instance. But dnssec IS more complicated, and more automation (and policy enforcement - here I'm looking at opendnssec) will certainly help. In the meantime...
> 
> ... Will NTAs delay adoption of validation or speed it up thanks to the warm fuzzy feeling?
> 
While in full agreement that signer-side tools and processes need work (and yes, I work for a DNS software vendor), I think on balance NTA speeds up adoption by compartmentalizing "other people's mistakes" and allowing the resolver operator to still get the benefit of DNSSEC from server operators who do properly maintain their DNSSEC.

As with any tool, virtual or physical, NTA can be useful, but careless operation comes with a price. That may or may not be a reason to leave the tool on the shelf. Why would we assume that resolver operators are less able to make intelligent use of improved policy tools such as NTA than server operators are of better tools for maintaining (or breaking) their DNSSEC?

Suzanne








More information about the dns-operations mailing list