[dns-operations] Implementation of negative trust anchors?

WBrown at e1b.org WBrown at e1b.org
Wed Sep 4 15:08:20 UTC 2013

Ondřej Surý <ondrej.sury at nic.cz> wrote on 09/04/2013 10:37:57 AM:

> On 22. 8. 2013, at 21:59, WBrown at e1b.org wrote:
> > Our browsers give us the option to trust invalid TLS certificates, 
> > even storing it indefinitely.  Is an NTA much different?
> And in certain circles it's considered by one of the biggest 
> mistakes that could have happened, and the reason why the whole PKI 
> fails so hard now.

I'll agree it's a security weakness and most users will just click through 
without thinking about the cause, the risks or the consequences.
> On the other hand we have a set of scripts that monitor the domains 
> in .CZ zones and they rip-off the DNSSEC from the domain if a set of
> conditions are fullfilled:
> - the validation fails for a defined time
> - the KEYSET matches the manually defined regex for automatic registrar 
> (And we have an agreement from our registrars who do by-default 
> signing that it's ok.)
> We have also added a trigger that removes KEYSET when NSSET changes 
> (and KEYSET is not updates in the same go).
> So our experience is that most of the errors come from badly managed
> transfers, and that set of workarounds fixed most of it.
> So our view is that it's more an operational problem on the parent 
> side than on resolver side.

It would appear that you are automatically implementing a solution for 
broken signatures.  Is this much different than adding an NTA?  In either 
case, a domain's signature can no longer be confirmed.

Unfortunately, I don't have access to TLD zone data to remove their 

Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.

More information about the dns-operations mailing list