On Mon, Mar 01, 2021 at 09:12:38AM +0100, Petr ??pa??ek wrote: > ... > > IMHO resolver market economics are going against DNSSEC security. If > resolution does not work on one operator people routinely switch to other > where it "works", either because they do not validate at all, or because > their ops team already added negative trust anchor. > > The only way to fix this is mutual agreement among operators to stop working > around someone else's mistakes. > > Are there operators willing to participate in such effort?
i'm not a significant operator of recursive validators, so my opinion is of little weight on that specific question. more generally, it's likely time to declare NTA a self-immolation mistake for DNSSEC, and schedule a DNS Flag Day (which this would be, unlike the recent message size change that was called a "flag day" purely for marketing reasons) to remove NTA from the Internet. would all of the DNS server implementors agree to remove NTA from their code, in a coordinated and well publicized manner, so that DNSSEC key/signature errors become suicidal for zone owners? i surely wish it were so, but sadly, i doubt that any large-scale RDNS operator would tolerate the resulting NOC or call center complaint volume while the invisible hand did its work. NTA won't be _the_ thing that killed DNSSEC, but it's in the top five. -- Paul Vixie _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
