> From: Suzanne Woolf <wo...@isc.org> > I don't like it either, but it limits the damage done by a DNSSEC = > failure to status quo ante rather than something worse.
That is mistaken. You get the status quo ante by simply turning off validation. Turn off validation is the only sane response this year to phone calls reporting the breakage of a major domain. Even if you have NTA, from now on you'll do as Comcast evidently is now doing and decline to pay the current and future costs of adding minor domains to your NTA list. You'll just tell your users Stuff Happens and perhaps help them use `whois` to find someone else to bother. Last year differed. I trust (wish?) we all learned the excessive costs of organization-wide white/blacklists from the last 15 years of the spam wars. > > madness test: would we have bothered with DNSSEC at all, back in the = > day, if NTA had been known as a definite requirement? > > I realize this is something of a rhetorical question, but I'll bite: if = > it were framed as a way of promoting incremental, fault-tolerant = > deployment and mitigating the cost shifting of "I screw up and your = > phone rings," some of us might well have been happy to include it.=20 On the contrary, NTA is a new tool for deliberately introducing new faults in the data you give your DNS clients. It is a tool for lying to your DNS clients with data that you swear is valid and signed but that you know is at best unsigned and quite possibly invalid or worse. If I didn't know that the inevitable user response to security problems, I'd favor NTA as a way to get validation move where must be eventually, at least as close as their nearest router. After a few kerfuffles in which it is discovered that telephants have been ordered by government or corporate bosses to use NTA to obscure the hijacking of domain names on grounds of copyright violation, terrorism, publication of national defense secrets, or failure by content providers to agree to telephant tariffs, one might hope that users would stop using Central Facility's DNS validators. Of course, besides the inevitable non-response by almost users, some users would probably notice, figure it out, and care. But as always, enough of the bosses and their minions won't believe or care. Vernon Schryver v...@rhyolite.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
