[dns-operations] Implementation of negative trust anchors?
Jason_Livingood at cable.comcast.com
Wed Sep 4 13:34:13 UTC 2013
On 8/26/13 2:16 AM, "Randy Bush" <randy at psg.com<mailto:randy at psg.com>> wrote:
fix the software and the ops processes. do not patch over the problems or they will increase. the problem is weak software and processes that need to be fixed, and patching and denial will not fix them.
Fair enough, and I agree that software and signing ops processes *do* need work (I'm more or less screaming that from the rooftops, so to speak). But realistically this will take time and in parallel if we as a community would like to see more validation, then NTAs seem like something we'll have to learn to live with for some period of time.*
So we're in a lull in DNSSEC deployment. We want to see more DNSSEC deployment but without the ability to turn off validation for a short period of time for a single domain (the other choice is for all domains, which seems less good), it is very difficult for an operator to justify implementing DNSSEC (though *not* impossible – a few of us have).
If we want to see more validation we may have to acknowledge the operational realities involved in doing so. I don't see NTAs as a long-term thing but in the phase of deployment we're all in now, it sure is useful.
* Phone calls to report issues / open tickets is good of course. But if we expect to find this via WHOIS, good luck, and any method unless you know the contact personally can take hours (or days) to track down someone in the know. I really do wish that there was some central critical DNS incident NOC (at ICANN, DNS-OARC, McDonalds, or wherever) where operators could open tickets and where some centralized team would do incident handling & reporting. That seems more efficient than 50 or 1,000 operators all calling example.com to report a signing failure. But I digress…
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations