On 15 apr 2012, at 17:46, David Conrad wrote: > The decisions as to whether to deploy an NTA vs. whether to deploy DNSSEC are > made a different times and (I suspect) different places within the > organization. Obviously, an organization must decide to deploy DNSSEC before > the question of whether to deploy NTAs becomes relevant. My impression is > that NTAs are/can be argued to reduce the risks of deploying validating > resolvers.
This all depends on the arguments in favor of, and against, validating resolvers. What I think you say is "...can be argued to reduce the risk of being blamed if someone is making mistakes with their keys." I.e. with the help of standardized NTAs, it will be easier for parties to always be able to give back responses, regardless of whether they validate or not. Which I think is the wrong view. You (and many more) have a different view. In Sweden, for some reason, we managed to get people to deploy validators without being afraid of the risk of being blamed. Or rather, the "risk" of being blamed was much lower in the calculation that lead to so many access providers turning on validation. >> So, I rather see those that do not feel comfortable taking the discussion >> with the press and their customers (and of course this is also due to zone >> owners not doing enough press and help when they screw up) > > I don't think it is a question of comfort. My impression is that it is a > question of not losing money due to customers being unable to get their pr0n > because validation has been turned on (whereas the customers' friends at > another ISP can get the same pr0n with no problems). I suspect the vast > majority of end users will simply not believe the response of "the zone owner > screwed up and our competition is not doing the right thing". Ok, I agree with this, and it was sort of what I said as well. >> turn off validation completely, > > This strikes me as far more detrimental to DNSSEC-enabled security than NTAs. > The implication of this approach is that a mistake of a single zone owner > would mean DNSSEC is disabled for everyone, everywhere, regardless of how all > the other signed zones are operating. NTAs mean that validation is disabled > for the offender only. Ok. >> and then work together in whatever community they operate with other >> resolver operators to turn on validation on the same day, with the help of >> ISOC and whoever and have a DNSSEC validation launch day. Similar work that >> you at Google did for IPv6. > > While I think a DNSSEC validation day is a good idea, the implication here is > that zone owners won't make mistakes after the DNSSEC validation launch day. Well, we of course must first decide what the problem is, and what problem we might resolve with a validation deployment day. I think one thing it can help with is to make it more understandable to /. people who is to blame for the inability to reach whatever is to be reached. And to some degree that is what I heard from for example Google before the initiative with IPv6 day started. >> I see *today* many mistakes we have made that see the need for DNSSEC, and >> we could, and still can, learn from the IPv6 advocates on how to deploy >> something new. Easy to say afterwards though. > > Given the stunning level of IPv6 deployment after more than a decade, I'm not > sure I see emulating IPv6 in this regard as the best idea. Well, I was more thinking of the (un-) happy eyeballs problem. Or let me ask you differently, if many access providers and not only Comcast started to do validation at the same time, would we be in a different situation? Patrik _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
