[dns-operations] Implementation of negative trust anchors?

WBrown at e1b.org WBrown at e1b.org
Wed Sep 4 17:24:49 UTC 2013

From: "Livingood, Jason" <Jason_Livingood at cable.comcast.com>

> 1 ? Responsibility for authoritative DNSSEC mistakes rests with 
> authoritative operators
> (written up quickly in http://tools.ietf.org/html/draft-livingood-
> auth-dnssec-mistakes-00)

The ultimate responsibility for domain issues really rests with the domain 
owner, not the domain admin.  In section 3, you write 

Even in cases where some error may be introduced by a third party, whether 
that is due to an authoritative server software vendor, software tools 
vendor, domain name registrar, or other organization, these are all 
parties that the domain administrator has selected and is responsible for 
managing successfully.

If the domain administration is provided by an outside party, it is the 
owner that selected them and the owner is the one ultimately responsible. 
In many such service provider arrangements, the only party that has any 
influence to correct problems is the owner, via SLA and the power of the 

Coincidentally, I am dealing with the provider for a local college that 
has outsourced much of their IT. I am trying to get their SPF record 
corrected.  The outsourcing provider admits the record "could use 
updating" but after close to 2 weeks, it is still wrong.  I gave up after 
several phone calls to the provider and I am in contact with the local 
college IT staff.  Time will tell if this provides any results.

> 2 ? In case of DNSSEC validation failures, don't change resolvers
> (written up quickly in http://tools.ietf.org/html/draft-livingood-
> dont-switch-resolvers-00) 

A well written sermon to the choir, I'm afraid.  I suspect there is little 
that can be done to prevent the typical end user from doing what they 
perceive as fixing the problem.

Unless this floats to the top of every search for "Wny can't I get to 
$PopularDomain", people will find the advice to switch to a non-validating 
resolver.  Fortunately, the number of publicly available non-validating 
resolvers is declining.

Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.

More information about the dns-operations mailing list