On Aug 22, 2013, at 3:25 PM, Paul Vixie <p...@redbarn.org> wrote: >>> A resolver operator deploying an NTA is making an assertion that data >>> behind a name is safe despite protocol indications that is may not be. >> Where is that stated? I ask, because it would seem that a better description >> would be that they are asserting that the data behind a name is unprotected >> by DNSSSEC. > agreed, and that's why, over and above the absurd engineering economics > behind it, i don't like NTA. if my signatures don't work because i've been > attacked (for example, one of my name servers has been compromised), the last > thing i'd want is comcast telling their customers that the data they're > getting from my compromised name server is ok to consume because it's > unsigned.
Exactly so. However pragmatically speaking if someone (say NASA perhaps?) screws up signing their zone, it isn't the zone-signing-screwer-upper that gets the phone calls, it is the eyeball networks that are doing the validation. Without NTA, the eyeball network operators have a choice, eat the cost of those calls or turn off validation _for ALL signed zones until the zone-signing-screwer-upper fixes their problem_. I gather you believe eating the cost is the right answer. > madness test: would we have bothered with DNSSEC at all, back in the day, if > NTA had been known as a definite requirement? Sure. Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
