Tony,
On Wednesday, 2012-04-11 15:20:50 +0100,
Tony Finch <d...@dotat.at> wrote:
> Shane Kerr <sh...@isc.org> wrote:
> >
> > For example, I know someone who regularly forgets to re-sign his
> > zones.
>
> That's just stupid. There are a lot of sensible words in Jason's draft
> to say that negative trust anchors should not be used as a long-term
> workaround for some third party's persistent incompetence.
Okay, that was an extreme example, but nevertheless if your customers
want service to a domain that works if DNSSEC is disabled, what choice
do you have?
What the ISP experiences:
Customer: "I can't get to supercute.newtld!!!! WHINE!!!"
ISP: "Yes, sorry, they have a technical problem with
their domain and it is not secure."
Customer: "But it works from the office!!!"
ISP: "Your office does not have DNSSEC validation
enabled, and is not protecting you."
Customer: "You suck! I'm going to EvilCompetitor, Inc.!!!"
What the customer experiences:
Customer: "Sorry to disturb you, but my most loved people in
the world can't get to the one web site that
brings joy into their lives."
ISP: "The dilithium crystals in the Heisenberg
compensators of that PADD are misaligned."
Customer: "Okay... but I tried it from work and it is okay."
ISP: "HAHAHA!! Trust us, we know what we're talking about
and nobody else does. You can't really see this site
from work, it is an evil impostor!!!"
Customer: "Riiiight..."
Disabling DNSSEC validation for broken domains seems completely
rational, at least for some types of brokenness.
--
Shane
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
