Patrik, On Apr 13, 2012, at 2:00 PM, Patrik Fältström wrote: > What I am against is this *CHANGE* in who is responsible.
I don't see NTAs changing who is responsible. I see it changing who absorbs the costs. Without NTAs, it is primarily the validator operator and those costs can't be passed on to the responsible folks. With NTAs, the validator operator can avoid those costs. The authority that has screwed up has increased risks that the names they are serving can be poisoned which they presumably care about if they have bothered to sign (even if they screwed it up). I have some faith that if an authority screws up, numerous people will make them aware of that screwup. > In Sweden, where we also had such "incidents" we did not "give up" that easy. As you note, there is a scale issue here. To be fair, my understanding is that the number of customers that would be affected by validation failures detected by Comcast alone is about twice the entire population of Sweden. More pragmatically, while I understand the theory behind rejecting NTAs, I have to admit it feels a bit like the IETF rejecting NATs and/or DNS redirection. I would be surprised if folks who implement NTAs will stop using them if they are not accepted by the IETF. > But, all of this thinking leads me to think about DNSSEC validation "risks" > are very similar to the risk with deploying IPv6? We have an IPv6 day, but > why not a DNSSEC day? One day where *many* players at the same time turn on > DNSSEC validation? Definitely a good idea. Regards, -drc _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
