[dns-operations] Quad9 DNSSEC Validation?

Paul Vixie paul at redbarn.org
Mon Mar 1 19:04:53 UTC 2021


On Mon, Mar 01, 2021 at 09:12:38AM +0100, Petr ??pa??ek wrote:
> ...
> 
> IMHO resolver market economics are going against DNSSEC security. If
> resolution does not work on one operator people routinely switch to other
> where it "works", either because they do not validate at all, or because
> their ops team already added negative trust anchor.
> 
> The only way to fix this is mutual agreement among operators to stop working
> around someone else's mistakes.
> 
> Are there operators willing to participate in such effort?

i'm not a significant operator of recursive validators, so my opinion is of
little weight on that specific question. more generally, it's likely time to
declare NTA a self-immolation mistake for DNSSEC, and schedule a DNS Flag Day
(which this would be, unlike the recent message size change that was called
a "flag day" purely for marketing reasons) to remove NTA from the Internet.

would all of the DNS server implementors agree to remove NTA from their code,
in a coordinated and well publicized manner, so that DNSSEC key/signature
errors become suicidal for zone owners? i surely wish it were so, but sadly,
i doubt that any large-scale RDNS operator would tolerate the resulting NOC
or call center complaint volume while the invisible hand did its work.

NTA won't be _the_ thing that killed DNSSEC, but it's in the top five.

-- 
Paul Vixie


More information about the dns-operations mailing list