[dns-operations] Implementation of negative trust anchors?

Ondřej Surý ondrej.sury at nic.cz
Wed Sep 4 14:37:57 UTC 2013


On 22. 8. 2013, at 21:59, WBrown at e1b.org wrote:
> Our browsers give us the option to trust invalid TLS certificates, some 
> even storing it indefinitely.  Is an NTA much different?


And in certain circles it's considered by one of the biggest mistakes that could have happened, and the reason why the whole PKI fails so hard now.


On the other hand we have a set of scripts that monitor the domains in .CZ zones and they rip-off the DNSSEC from the domain if a set of conditions are fullfilled:

- the validation fails for a defined time
- the KEYSET matches the manually defined regex for automatic registrar keys

(And we have an agreement from our registrars who do by-default signing that it's ok.)

We have also added a trigger that removes KEYSET when NSSET changes (and KEYSET is not updates in the same go).

So our experience is that most of the errors come from badly managed transfers, and that set of workarounds fixed most of it.

So our view is that it's more an operational problem on the parent side than on resolver side.

O.
--
 Ondřej Surý -- Chief Science Officer
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:ondrej.sury at nic.cz    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130904/e3e271cc/attachment.sig>


More information about the dns-operations mailing list