[dns-operations] slack.com bogus

[Paul Ebersman]

pe> NTAs in production use aren't even vaguely new. They've been in wide
pe> use for 8-10 years that I'm aware of. They are part of why folks
pe> like google, cloudflare, comcast et al are willing to do DNSSEC
pe> validation in production.

paul> i know that. i just don't like it. without backpressure,
paul> sloppiness will normalize. (always.)

Not always. Sometimes, pain teaches avoidance, not improvement. We
already have a slow enough rollout of DNSSEC as it is.

One of the things I've never been happy about with DNSSEC (but admit no
brilliant alternate solution for) is that the cost/pain are in the wrong
place.

If NASA borks their DNSSEC, the large recursive resolvers eat huge
customer support costs but NASA is mostly unscathed (and may not even
notice immediately). So the incentive to do better operationally is
light for NASA but the resolver operators have very little leverage to
encourage them to do better.

I hold up most of .milnet as an example of years of DNSSEC breakage
making very little headway in operational improvements. While a lot of
that is due to it being an unfunded mandate for years, breakage
certainly hasn't improved things much faster.

NTAs shouldn't be over-used/abused but there's no question they have
significantly moved the needle in getting recursive operators to
validate, which is a huge part of what's needed in wide scale DNSSEC
deployment being useful.