On Aug 26, 2013, at 7:40 AM, Phil Regnauld <[email protected]> wrote:
> > > On 26/08/2013, at 13.18, Ralf Weber <[email protected]> wrote: > >> So what would your advise be to the people running resolvers/validators? > > Currently validating resolvers suffer from an additional and different set of > configuration mistakes from those that don't validate. Arguably if everyone > validated then it wouldn't matter if foo.com failed because they fumbled the > DS or failed to pay for renewal. At that stage, It's Their Problem, Not Yours > because everyone on the resolver side experiences the same problem (give or > take $ttl just like in insecure DNS). So get everyone else to validate so > we're all in the same boat :) > > Humor aside, I agree better automated processes would help - although today > no software helps you prevent mismatched parent and child delegations, for > instance. But dnssec IS more complicated, and more automation (and policy > enforcement - here I'm looking at opendnssec) will certainly help. In the > meantime... > > ... Will NTAs delay adoption of validation or speed it up thanks to the warm > fuzzy feeling? > While in full agreement that signer-side tools and processes need work (and yes, I work for a DNS software vendor), I think on balance NTA speeds up adoption by compartmentalizing "other people's mistakes" and allowing the resolver operator to still get the benefit of DNSSEC from server operators who do properly maintain their DNSSEC. As with any tool, virtual or physical, NTA can be useful, but careless operation comes with a price. That may or may not be a reason to leave the tool on the shelf. Why would we assume that resolver operators are less able to make intelligent use of improved policy tools such as NTA than server operators are of better tools for maintaining (or breaking) their DNSSEC? Suzanne _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
