[dns-operations] Implementation of negative trust anchors?

Paul Hoffman paul.hoffman at vpnc.org
Tue Aug 27 15:56:43 UTC 2013

On Aug 27, 2013, at 8:27 AM, Joe Abley <jabley at hopcount.ca> wrote:

> I seem to think actually that all the prominent public failures near the root of the namespace have not been due to zones that were signed incorrectly, but rather botched rollovers, parent DS mismatch, accidental use of an old key, etc.

That is what most of the sad messages we have seen on the DNSSEC deployment list indicate.

> I've long wished for a more general facility where upon successful [AI]XFR I could shell out to an arbitrary local executable and do whatever checks I wanted before signalling with exit status that "this zone is ok to serve". With a bit of state held on disk about previous zones you could include some of those temporal checks and perhaps catch a few more problems.

...but not all of them.

--Paul Hoffman

More information about the dns-operations mailing list