[dns-operations] slack.com bogus

Paul Ebersman list-dns-operations at dragon.net
Thu Sep 30 21:30:34 UTC 2021


pounsett> Negative Trust Anchors, most probably.

paul> i hope not. because if true, there's no backpressure on sloppy
paul> operations. are we really introducing a new animal to this
paul> ecosystem that has no predators trying to kill or eat it?

NTAs in production use aren't even vaguely new. They've been in wide use
for 8-10 years that I'm aware of. They are part of why folks like
google, cloudflare, comcast et al are willing to do DNSSEC validation in
production.

Doing it automatically is bad, as per RFC 7646, but it is a valid
response if it's a large site and mistake rather than malicious.




More information about the dns-operations mailing list