Patrik, On Apr 14, 2012, at 11:33 PM, Patrik Fältström wrote: > ...and my point is that the effort should be spent on convincing AT&T, Cox > and others to do validation just like Comcast.
The decisions as to whether to deploy an NTA vs. whether to deploy DNSSEC are made a different times and (I suspect) different places within the organization. Obviously, an organization must decide to deploy DNSSEC before the question of whether to deploy NTAs becomes relevant. My impression is that NTAs are/can be argued to reduce the risks of deploying validating resolvers. > So, I rather see those that do not feel comfortable taking the discussion > with the press and their customers (and of course this is also due to zone > owners not doing enough press and help when they screw up) I don't think it is a question of comfort. My impression is that it is a question of not losing money due to customers being unable to get their pr0n because validation has been turned on (whereas the customers' friends at another ISP can get the same pr0n with no problems). I suspect the vast majority of end users will simply not believe the response of "the zone owner screwed up and our competition is not doing the right thing". > turn off validation completely, This strikes me as far more detrimental to DNSSEC-enabled security than NTAs. The implication of this approach is that a mistake of a single zone owner would mean DNSSEC is disabled for everyone, everywhere, regardless of how all the other signed zones are operating. NTAs mean that validation is disabled for the offender only. > and then work together in whatever community they operate with other resolver > operators to turn on validation on the same day, with the help of ISOC and > whoever and have a DNSSEC validation launch day. Similar work that you at > Google did for IPv6. While I think a DNSSEC validation day is a good idea, the implication here is that zone owners won't make mistakes after the DNSSEC validation launch day. > I see *today* many mistakes we have made that see the need for DNSSEC, and we > could, and still can, learn from the IPv6 advocates on how to deploy > something new. Easy to say afterwards though. Given the stunning level of IPv6 deployment after more than a decade, I'm not sure I see emulating IPv6 in this regard as the best idea. Regards, -drc _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
