[dns-operations] Implementation of negative trust anchors?

Antoin Verschuren antoin.verschuren at sidn.nl
Tue Aug 27 12:49:08 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How about this solution:

A truly DNSSEC aware authoritative server should not publish a zone,
not even the unsigned records, when validation fails for that zone.
That way, if a DNSSEC signed zone is DNSSEC broken, it's also broken
for a non-validating resolver, there is no competition issue, and the
zone publisher should fix his zone to get it working at all.

Who will be the first DNS vendor implementing? :-)

- -- 
Antoin Verschuren

Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  M: +31 6 23368970
Mailto: antoin.verschuren at sidn.nl
XMPP: antoin.verschuren at jabber.sidn.nl
HTTP://www.sidn.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJSHKBEAAoJEDqHrM883Agno/wH/jKX6aYUFXz8sD5jia5l1rA2
R1H8+ML/rITw9M2Q/pB8hxZw6ZOOkG//NXGiL9ZpUe0TTGWECEhtyE6Pb6Nrs2cp
lXB730UWycEpr/ZnvSFauKdEqtZqCT3IjGJVLSxyLUNk8vedI7JW5wzsH972Aksw
mjw/n+a5LdmNpG/88RHedpoun607tP1/y8WOZd0vT4WH8it4mekVph4KebU9IUyk
E+X8GkyebnE9DLOXPTBxbb+qIVLK1yg+bH3oPM/DL0EQndbtjbLPvcWx+kCiC5MA
wWgfHqWfzjnTEZVdQZ1hgo8jfzcLoTS77oHG3ERbpUqhi6SgblWYXBWprxQGM+c=
=Drr7
-----END PGP SIGNATURE-----



More information about the dns-operations mailing list