[dns-operations] Implementation of negative trust anchors?

UFJORw== ufjorw at gmail.com
Tue Aug 27 19:18:26 UTC 2013

On Tue, Aug 27, 2013 at 9:01 PM, Carlos M. Martinez
<carlosm3011 at gmail.com> wrote:
> I mostly agree, but as someone pointed out, the zone operator will be immediately (and painfully) aware of the mishap. Just as if you have a syntax error in your zone file. I fail to see how this result in 'worse' availability compared to what we have today.

Many operators have their zone slaved by third parties, and these 3rd
parties' infrastructures are not always completely flexible and/or
reactive (e.g. dns hosting companies that offer slaving zones as a
service; I believe this is also the case for some TLDs).
I think offline signatures were first introduced in DNSSEC to allow
operators to be free of such constraints relative to third parties.

> Regarding your What … ? questions, I agree you need to answer them, but well, they should be easy to answer if you intend to publish signed zones. And, if you cannot positively answer those questions for your zone and your three or four slaves, well, what can you expect from the Internet as a whole ?

Easy only if you are a DNSSEC expert and you know these questions
exist, and what to answer to each of them.
DNSSEC is already not for humans. Let's not make it worse by adding
new layers of complexity over this mess :)

I think shelling out is sensible but will probably only be used by an
elite who can already think of ways to do such validations without
this feature.

More information about the dns-operations mailing list