> From: Antoin Verschuren <[email protected]> > A truly DNSSEC aware authoritative server should not publish a zone, > not even the unsigned records, when validation fails for that zone. > That way, if a DNSSEC signed zone is DNSSEC broken, it's also broken > for a non-validating resolver, there is no competition issue, and the > zone publisher should fix his zone to get it working at all. > > Who will be the first DNS vendor implementing? :-)
How about this: Everyone running DNSSEC aware authoritative servers will also run and use a distant DNSSEC recursive server to check periodically (e.g. with nagios) as well as before and after changes that the authoritative servers are sane. Or this: Everyone running aware an authoritative server will also run and use a recursive server to check periodically (e.g. with nagios) as well as before and after all changes that the authoritative server is sane. NTA is like the set-UID 0 shells and equivalents that everyone with much computer experience has used at one time or another to deal with extremely incompetent and uncooperative cow-orkers whose nominal responsibilities include running computers that must function at least partially for you to do your own job. NTA differs from other such back doors most in being spoken about in public and even advocated by people who claim to care about security and don't know (or claim to not know) what I'm talking about in set-UID shells. Like all such unspeakables, there's little that should be said about NTA. The prudent will avoid using it, protect their installations of it from abuse (e.g. automatic expiration), be wary of anyone who might be able to use it against their own domains, avoid being questioned about having used it, and avoid the company of those who brag about or advocate using it. Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
