On Aug 22, 2013, at 7:05 PM, Suzanne Woolf <wo...@isc.org> wrote:
> On Aug 22, 2013, at 6:25 PM, Paul Vixie <p...@redbarn.org> wrote:
>
>>
>>
>> Paul Hoffman wrote:
>>>
>>> On Aug 22, 2013, at 2:47 PM, David Conrad <d...@virtualized.org> wrote:
>>>
>>>> A resolver operator deploying an NTA is making an assertion that data
>>>> behind a name is safe despite protocol indications that is may not be.
>>>
>>> Where is that stated? I ask, because it would seem that a better
>>> description would be that they are asserting that the data behind a name is
>>> unprotected by DNSSSEC.
>>
>> agreed, and that's why, over and above the absurd engineering economics
>> behind it, i don't like NTA. if my signatures don't work because i've been
>> attacked (for example, one of my name servers has been compromised), the
>> last thing i'd want is comcast telling their customers that the data
>> they're getting from my compromised name server is ok to consume because
>> it's unsigned.
To elaborate on Paul's comment:
We really do not need to create another clever attack vector. We have
sufficient already.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
