pe> NTAs in production use aren't even vaguely new. They've been in wide pe> use for 8-10 years that I'm aware of. They are part of why folks pe> like google, cloudflare, comcast et al are willing to do DNSSEC pe> validation in production.
paul> i know that. i just don't like it. without backpressure, paul> sloppiness will normalize. (always.) Not always. Sometimes, pain teaches avoidance, not improvement. We already have a slow enough rollout of DNSSEC as it is. One of the things I've never been happy about with DNSSEC (but admit no brilliant alternate solution for) is that the cost/pain are in the wrong place. If NASA borks their DNSSEC, the large recursive resolvers eat huge customer support costs but NASA is mostly unscathed (and may not even notice immediately). So the incentive to do better operationally is light for NASA but the resolver operators have very little leverage to encourage them to do better. I hold up most of .milnet as an example of years of DNSSEC breakage making very little headway in operational improvements. While a lot of that is due to it being an unfunded mandate for years, breakage certainly hasn't improved things much faster. NTAs shouldn't be over-used/abused but there's no question they have significantly moved the needle in getting recursive operators to validate, which is a huge part of what's needed in wide scale DNSSEC deployment being useful. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations