Responding to a message at random ...
I skimmed the draft, and with respect to the authors this is a terrible
idea.
DNSSEC is pointless if it's not used as designed. Providing an easy way
to bypass validation makes many things worse instead of better ... not
the least of which is that if an attacker has actually compromised the
authoritative name servers for the domain you've just made their job
100% easier (and thereby removed all the protection that DNSSEC is
supposed to provide).
Furthermore, the mechanism is not necessary, since if you somehow had
knowledge that it was safe to use the data even if it doesn't validate
you can temporarily set up a forward zone that points to a
non-validating resolver.
The mentality that we need to provide crutches and bandages to paper
over the mistakes by DNS admins is exactly what has perpetuated the long
history of bad habits and "zomg I can't believe that something so badly
configured ever actually worked" that is one of the reasons DNSSEC
rollouts are failing in the first place. Providing more crutches and
bandages is not the answer.
Doug
--
If you're never wrong, you're not trying hard enough
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
