Warren Kumari wrote: > Over on the BIND-Users list there is currently a discussion of > fema.net (one the "Federal Emergency Management Agency" domains) > being DNSSEC borked > (https://lists.isc.org/pipermail/bind-users/2014-October/094142.html) > > This is an example of the sort of issues that an NTA could address -- > I'd like to note that currently neither Google Public DNS (8.8.8.8) > nor Comcast (75.75.75.75) have put in an NTA for it, but if it were > fema.gov, and this were during some sort of national disaster in the > US, things might be different...
If an authoritative domain (e.g. irs.gov) screwed up its delegation NS records so it effectively went dark or made some similar sort of authoritative DNS or nameserver error, we wouldn't expect the recursive, caching side to resolve those sorts of errors. The domain's DNS would simply be unavailable until they resolved their problem. I'm not sure I understand why DNSSEC is somehow different. If a domain owner chooses to sign its authoritative zones and at some point screws up either their signing or their chain of trust, they should reasonably expect their DNS to go dark to a certain percentage of the world. (I believe in the United States currently, that's around a quarter of the population, at least according to APNIC Labs numbers. That tends to be the part of the world I watch most closely.) I do understand the need ISPs had to manage customer perceptions, especially for the earliest adopters like Comcast. Support calls cost money and in some instances, an irate customer may choose to switch providers. That likely persists to some extent today, but with Google on board the pressure is, at least, less than it was before. And as those implementing DNSSEC validation continue to increase, that pressure will continue to drop. Outside of the ISP early adopter use case, though, I'm not sure I understand the need for NTAs. We've had DNSSEC validation of Internet queries enabled for our enterprise since 2011. On the enterprise side, we simply explain the problem and that it's on the domain provider's end and that it's their responsibility to fix it. Until they do we won't be able to resolve their domain. We've never viewed it as our responsibility to try to fix problems on the authoritative side of DNS for domains we don't own or manage. Truthfully, we don't really encounter as many issues as we once did. Given the limited nature of the use case, I'm not convinced it matters if there's a single specification for implementing it or not. I'm not really opposed to the idea either, nor do I have any issues with the draft. But after several years of experience without NTAs from a non-ISP perspective, I do know it hasn't been a burden or major issue. Scott _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
