Tony, On Wednesday, 2012-04-11 15:20:50 +0100, Tony Finch <d...@dotat.at> wrote: > Shane Kerr <sh...@isc.org> wrote: > > > > For example, I know someone who regularly forgets to re-sign his > > zones. > > That's just stupid. There are a lot of sensible words in Jason's draft > to say that negative trust anchors should not be used as a long-term > workaround for some third party's persistent incompetence.
Okay, that was an extreme example, but nevertheless if your customers want service to a domain that works if DNSSEC is disabled, what choice do you have? What the ISP experiences: Customer: "I can't get to supercute.newtld!!!! WHINE!!!" ISP: "Yes, sorry, they have a technical problem with their domain and it is not secure." Customer: "But it works from the office!!!" ISP: "Your office does not have DNSSEC validation enabled, and is not protecting you." Customer: "You suck! I'm going to EvilCompetitor, Inc.!!!" What the customer experiences: Customer: "Sorry to disturb you, but my most loved people in the world can't get to the one web site that brings joy into their lives." ISP: "The dilithium crystals in the Heisenberg compensators of that PADD are misaligned." Customer: "Okay... but I tried it from work and it is okay." ISP: "HAHAHA!! Trust us, we know what we're talking about and nobody else does. You can't really see this site from work, it is an evil impostor!!!" Customer: "Riiiight..." Disabling DNSSEC validation for broken domains seems completely rational, at least for some types of brokenness. -- Shane _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop