On 13 apr 2012, at 22:24, Patrik Fältström wrote:
> +1
In a private chat I am asked to explain my "+1".
Let me explain why.
Today, before negative trust anchors, the responsibility for whether a the
resolution that is basis for a connection establishment is with the zone owner.
If the signature fails, it fails, resolution fails, and the connection can not
be established.
Now, if we have negative trust anchors that the validator is controlling, then
I interpret it as if this choice of ability to resolve a name moves from the
zone owner to the validator (or as in the case of X.509 certs to the client).
What I am against is this *CHANGE* in who is responsible.
Further, I think for .COM (and in the US) we are extremely unlucky that more or
less only one large validator started validating, and then one zone owner made
mistakes with their DNSSEC data. This made the press and community blame the
one that did right, the validator, when in fact the one that validated and
rejected some RRs did the right thing.
In Sweden, where we also had such "incidents" we did not "give up" that easy.
But, we succeeded because of a I think two things:
- We managed to have more than one major ISP/Resolver to start validating on
the same date, so as far as I know, no incident, regardless of how bad it was,
was ever one that blamed the validator.
- We managed to educate press and whoever that could help put a wet blanket
over all rumors that the validator was the one to blame when validating did not
work.
Of course this was MUCH easier in Sweden that is a much smaller country than
"the group of entities that uses .COM".
But, all of this thinking leads me to think about DNSSEC validation "risks" are
very similar to the risk with deploying IPv6? We have an IPv6 day, but why not
a DNSSEC day? One day where *many* players at the same time turn on DNSSEC
validation?
If we did, then maybe it would be easier for parties to turn on validation,
because it could be easier for them to explain that it is not whoever that is
validating that is making mistakes at failures, but instead the zone owner?
And to go back to the "+1", I say strongly "+1" because alternatives (like what
I just described) to changing who is responsible for making a decision of
whether validation should work or not are not explored enough. Definitely not.
I am not giving up yet, although after my work in a role being responsible for
many products at an ISP 1996-2000 I definitely understand what the cost is with
negative press and increased number of calls to customer service.
Patrik
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
