> From: Doug Barton <do...@dougbarton.us> > As stated before, the problem is that after the "early adopter" period > is over we'll be stuck with NTAs forever. This is one of those > fundamental disagreements between those who believe that DNS should > always be forgiving of operator error, and those of us who do not.
Running the DNS for 100+ school districts and 400,000+ devices, I really, REALLY don't want to be the one saying "Sorry, you can't use the site called for in your lesson plan today because they messed up the DNSSEC records." Management's response would be "Just make it work!" Without a per domain NTA, the only option would be to turn off DNSSEC, returning to square one. > I continue to maintain that NTAs violate the whole principle of DNSSEC, > and that if there is a high price for doing it wrong less people will do > it wrong. Our browsers give us the option to trust invalid TLS certificates, some even storing it indefinitely. Is an NTA much different? There's also a price (time spent) for people having to add NTAs for failing domains. Admins may decide that it's not worth the hassle to add an NTA for a particular domain if there isn't enough reason/demand for it. Perhaps the NTA mechanism needs some tuning. What if an NTA was only valid for one key value. Once key was replaced, the NTA would no longer be valid, preventing it from hanging around to trust a forged answer far in the future. I don't have an answer for how to handle a domain that never updates the key, letting the NTA stay in place. Perhaps specifying a time out, as well as expiring on key update. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
