[dns-operations] Implementation of negative trust anchors?

[David Conrad]

Randy,

On Aug 26, 2013, at 6:08 AM, Randy Bush <randy at psg.com> wrote:
>> So what would your advise be to the people running resolvers/validators?
> in internet operations we open a ticket with the op that has the problem.
> we even use <gasp> voice phones, if that is what it takes.

The issue is the support costs/reputation damage/etc the validator operator has to absorb for doing the right thing when the signer makes a mistake that a non-validator operator does not have to absorb. Since at this point in time, doing DNSSEC is purely cost with little (observable) benefit, how many times should a validator operator absorb those costs before the beancounters and PHBs say, "why are we doing this to ourselves?"

> report and fix bugs, do not paper over them.

The bug was reported to NASA and it was fixed (eventually), yet it was Comcast that was blamed. 

I suspect everyone agrees there should be better tools, but shit happens even with the best tools. Given the state of deployment, the lack of (observable) benefit from deployment, and the impact particularly to large eyeball networks, NTAs seem pretty much a requirement if you actually want DNSSEC deployed.

Regards,
-drc