On 15 apr 2012, at 03:23, Warren Kumari wrote: > Once most ISPs are performing validation there should be fewer screwups, and > NTAs should be almost never needed -- but until we get to that point I think > that they are needed, and the net security wins outweigh the costs…
...and my point is that the effort should be spent on convincing AT&T, Cox and others to do validation just like Comcast. And to inform the users, press and others that for example it was NASA and not Comcast that had problems. Solution is not to do a work around in the IETF that have all different kind of security implications, similar to the ones Doug describes. Creating NTAs so that people, as Doug says, can turn off validation per zone without interaction with whoever is responsible for the zone, without interaction with whoever *decided* that the zone should be signed, and without knowing whether it is a security incident or just a management mistake, is I think the end of DNSSEC. So, I rather see those that do not feel comfortable taking the discussion with the press and their customers (and of course this is also due to zone owners not doing enough press and help when they screw up) turn off validation completely, and then work together in whatever community they operate with other resolver operators to turn on validation on the same day, with the help of ISOC and whoever and have a DNSSEC validation launch day. Similar work that you at Google did for IPv6. Much better than creating NTAs. I see *today* many mistakes we have made that see the need for DNSSEC, and we could, and still can, learn from the IPv6 advocates on how to deploy something new. Easy to say afterwards though. Patrik _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
