[dns-operations] Implementation of negative trust anchors?

[Carlos M. Martinez]

On Aug 27, 2013, at 4:18 PM, "UFJORw==" <ufjorw at gmail.com> wrote:

> On Tue, Aug 27, 2013 at 9:01 PM, Carlos M. Martinez
> <carlosm3011 at gmail.com> wrote:
>> I mostly agree, but as someone pointed out, the zone operator will be immediately (and painfully) aware of the mishap. Just as if you have a syntax error in your zone file. I fail to see how this result in 'worse' availability compared to what we have today.
> 
> Many operators have their zone slaved by third parties, and these 3rd
> parties' infrastructures are not always completely flexible and/or
> reactive (e.g. dns hosting companies that offer slaving zones as a
> service; I believe this is also the case for some TLDs).
> I think offline signatures were first introduced in DNSSEC to allow
> operators to be free of such constraints relative to third parties.

That's why every behavior should be controlled by a configuration switch. No solution is universal. 

> 
> 
>> Regarding your What … ? questions, I agree you need to answer them, but well, they should be easy to answer if you intend to publish signed zones. And, if you cannot positively answer those questions for your zone and your three or four slaves, well, what can you expect from the Internet as a whole ?
> 
> Easy only if you are a DNSSEC expert and you know these questions
> exist, and what to answer to each of them.
> DNSSEC is already not for humans. Let's not make it worse by adding
> new layers of complexity over this mess :)

We're talking about people who want to publish signed zones. You don't need to be an expert to answer those questions. Or, on the other hand, you probably should not publish your signed zone before you are able to answer them.

> 
> 
> I think shelling out is sensible but will probably only be used by an
> elite who can already think of ways to do such validations without
> this feature.

We agree to disagree then.

regards

~Carlos