[dns-operations] Implementation of negative trust anchors?

Vernon Schryver vjs at rhyolite.com
Tue Aug 27 14:29:02 UTC 2013


> From: Antoin Verschuren <antoin.verschuren at sidn.nl>

> A truly DNSSEC aware authoritative server should not publish a zone,
> not even the unsigned records, when validation fails for that zone.
> That way, if a DNSSEC signed zone is DNSSEC broken, it's also broken
> for a non-validating resolver, there is no competition issue, and the
> zone publisher should fix his zone to get it working at all.
>
> Who will be the first DNS vendor implementing? :-)

How about this: Everyone running DNSSEC aware authoritative servers
will also run and use a distant DNSSEC recursive server to check
periodically (e.g. with nagios) as well as before and after changes
that the authoritative servers are sane.

Or this: Everyone running aware an authoritative server
will also run and use a recursive server to check periodically
(e.g. with nagios) as well as before and after all changes that the
authoritative server is sane.

NTA is like the set-UID 0 shells and equivalents that everyone with
much computer experience has used at one time or another to deal
with extremely incompetent and uncooperative cow-orkers whose
nominal responsibilities include running computers that must
function at least partially for you to do your own job.  NTA differs
from other such back doors most in being spoken about in public and
even advocated by people who claim to care about security and don't
know (or claim to not know) what I'm talking about in set-UID shells.

Like all such unspeakables, there's little that should be said about
NTA.  The prudent will avoid using it, protect their installations of
it from abuse (e.g. automatic expiration), be wary of anyone who might
be able to use it against their own domains, avoid being questioned
about having used it, and avoid the company of those who brag about
or advocate using it.


Vernon Schryver    vjs at rhyolite.com



More information about the dns-operations mailing list