Randy Bush wrote: > < from a conversation with a friend wiser than i > > > the problem is that we are going through a deployment phase where there > is little penalty for sloppy server ops because so few are validating. > > patching over this to be more tolerant of sloppy server ops is going in > the wrong direction. ...
+1. we're currently debating placement of first mover advantage. today if you sign incorrectly you lose. with NTA at scale, if you sign incorrectly you won't lose. i don't know how we'd get back from there. i've signed incorrectly plenty of times on my own domains, because i havn't got BIND 9.8 "DNSSEC for Humans" running. every time i lose because my domain names can't be looked up because my signatures expired or whatever, it changes the equation in my head, and brings me closer to improving my signature and key management processes. granted i don't lose money when my DNSSEC is busted, but my phone does ring. i like that -- the internet too rarely aligns incentives. we're getting it right for once. comcast and their DNS vendors should do what suits them. but we should all resist making NTA an interoperable standard or BCP. vixie _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
