Patrik, Nobody is talking about creating NTAs. NTAs already exist. The question for this group is whether or not they are worth standardising.
Joe Sent from my Ono-Sendai Cyberspace 7 On 2012-04-15, at 2:34, "Patrik Fältström" <p...@frobbit.se> wrote: > On 15 apr 2012, at 03:23, Warren Kumari wrote: > >> Once most ISPs are performing validation there should be fewer screwups, and >> NTAs should be almost never needed -- but until we get to that point I think >> that they are needed, and the net security wins outweigh the costs… > > ...and my point is that the effort should be spent on convincing AT&T, Cox > and others to do validation just like Comcast. And to inform the users, press > and others that for example it was NASA and not Comcast that had problems. > > Solution is not to do a work around in the IETF that have all different kind > of security implications, similar to the ones Doug describes. > > Creating NTAs so that people, as Doug says, can turn off validation per zone > without interaction with whoever is responsible for the zone, without > interaction with whoever *decided* that the zone should be signed, and > without knowing whether it is a security incident or just a management > mistake, is I think the end of DNSSEC. > > So, I rather see those that do not feel comfortable taking the discussion > with the press and their customers (and of course this is also due to zone > owners not doing enough press and help when they screw up) turn off > validation completely, and then work together in whatever community they > operate with other resolver operators to turn on validation on the same day, > with the help of ISOC and whoever and have a DNSSEC validation launch day. > Similar work that you at Google did for IPv6. > > Much better than creating NTAs. > > I see *today* many mistakes we have made that see the need for DNSSEC, and we > could, and still can, learn from the IPv6 advocates on how to deploy > something new. Easy to say afterwards though. > > Patrik > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
