On 4/13/12 5:00 PM, "Patrik Fältström" <p...@frobbit.se<mailto:p...@frobbit.se>> wrote: In a private chat I am asked to explain my "+1".
Let me explain why. Today, before negative trust anchors, the responsibility for whether a the resolution that is basis for a connection establishment is with the zone owner. If the signature fails, it fails, resolution fails, and the connection can not be established. Now, if we have negative trust anchors that the validator is controlling, then I interpret it as if this choice of ability to resolve a name moves from the zone owner to the validator (or as in the case of X.509 certs to the client). What I am against is this *CHANGE* in who is responsible. It is indeed a concern (see a section dedicated to this @ http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01#section-5). But I argue that the design of DNSSEC or the way that incremental deployment was envisioned shifted this model by making it something that a recursive operator had to take action to turn on. This creates the situation where recursive operators get the costs of adoption errors initially. But, all of this thinking leads me to think about DNSSEC validation "risks" are very similar to the risk with deploying IPv6? We have an IPv6 day, but why not a DNSSEC day? One day where *many* players at the same time turn on DNSSEC validation? +1 - Jason
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop