> From: wbr...@e1b.org > Running the DNS for 100+ school districts and 400,000+ devices, I really, > REALLY don't want to be the one saying "Sorry, you can't use the site > called for in your lesson plan today because they messed up the DNSSEC > records." Management's response would be "Just make it work!" > > Without a per domain NTA, the only option would be to turn off DNSSEC, > returning to square one.
You don't do crazy things like poke around to get an old copy of "their" zone and publish a pirate copy when "they" mess up something else. You say something like "They messed up." In this case, you could and should say something like: "Our network security defenses are telling us that there is something. wrong there. Instead of lesson plans, you might be getting child porn if you visit their pages today." > Our browsers give us the option to trust invalid TLS certificates, some > even storing it indefinitely. Is an NTA much different? Yes, because TLS differs because public PKI certs are merely a charade of pretend security intended to fool the rubes and harvest money from those cannot for various good and bad reasons refuse to pay the commerical PKI cert vendors. (Yes, some commercial PKI certs are free, which says all that needs to be said to anyone with 0.1% of a clue about the security of every commercial PKI cert.) A valid commercial PKI cert tells you *NOTHING* about the web data it purports to guarantee except that some was willing to pay time, effort, and perhaps some money to appear trustworthy. Perhaps in the real world, no evil nasty hackers are going to replace your staff's educational pages with nastiness with either bogus certs or corrupt DNS, but things are definitely otherwise elsewhere. Vernon Schryver v...@rhyolite.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
