Ralf Weber wrote: > There is huge difference between DNS outages caused by connectivity and > DNSSEC caused outages. Without DNSSEC screwing up your domain so badly that > it is unreachable is very very hard. With DNSSEC you make one small error and > your domain goes dark for those who validate. Given that the cost of this is > not on the domain owner, but instead on the service providers that validate. > I think it is absolutely needed to give them a tool to minimize these costs > (NTA).
as i've already said, NTA as a local policy is by definition OK with everybody. that's why we call it a "local" policy. but it's steeped in irony. the only reason NTA can be seen as a responsible practice in the eyes of those who practice it is, the domain owner who screwed up their signatures, will still get plenty of phone calls, because NTA by definition won't have a wide spread impact. i think the fact that nominum put NTA support into CNS for comcast shows good business sense. as a nominum shareholder i applaud. any other DNS supplier who wants to compete with nominum for comcast's business will have this hill to climb first. kewl. on the other hand i would not be glad to see NTA as an IETF RFC, FYI, BCP, or other standards-like artifact. vixie
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
