Hello, (at the risk of launching a lot of weekend messages, again, - which I read with great interest after some days of absence ...)
The draft on "Negative Trust Anchor", section 7 : "Use of a NTA" seems incomplete ! Actually, the validating caching name server is itself only an intermediate step between - the authoritative name servers (whose admins may commit errors) and - the forwarding name server or resolver on an end device. And what if that forwarding name server or that resolver on end device perform validation themselves ? If the "end client" performs validation and is unaware of NTA, it is in trouble again ! And the validating caching name server that implements NTA cannot pretend the DS record, in the parent, does not exist, because it cannot provide the appropriate "Next Secure" data (DNSSEC ...). (the only one that can remove the DS record is the parent - it has the private key to provide the correctly signed "Next Secure" data) While I do acknowledge the concern of ISP's that offer validation to somehow protect their customers, in case of a (DNSSEC only) problem with some or the other domain, I'm afraid "Negative Trust Anchor" may introduce other problems. Together with other commentors on this subject, I do think there should be some best practice recommendation about how to cope with this kind of problem. Kind regards, Marc Lampo -----Original Message----- From: Livingood, Jason [mailto:jason_living...@cable.comcast.com] Sent: 16 April 2012 07:40 PM To: Marc Lampo; dnsop Cc: ralf.we...@nominum.com; Nick Weaver Subject: Re: on "Negative Trust Anchors" Inline. - JL On 4/12/12 8:21 AM, "Marc Lampo" <marc.la...@eurid.eu> wrote: >The draft of Negative Trust Anchors does not mention anything about >informing the operator of the failing domain. I'll make a note to call this out in the next version. Something about making reasonable attempts to notify the domain of the issue and any action taken (such a using a NTA and when it expires, how to contact party adding the NTA, etc.). >The advantage over negative trust anchor would be that this is more >centrally managed : the action by the parent (remove DS) is visible >(TTL >permitted) to any validating name server. > (the negative trust anchor needs to be configured by every validating NS, > whose administrators bother to do so) I see the advantages but I'm reluctant to see this more automated / easy. Thanks, Jason _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
