On 4/13/2012 2:19 PM, David Conrad wrote:
> Patrik,
>
> On Apr 13, 2012, at 2:00 PM, Patrik Fältström wrote:
>> What I am against is this *CHANGE* in who is responsible.
>
> I don't see NTAs changing who is responsible. I see it changing who
> absorbs the costs. Without NTAs, it is primarily the validator
> operator and those costs can't be passed on to the responsible folks.
> With NTAs, the validator operator can avoid those costs.
I understand the economics involved, and I started to write more about
that in my response, but decided to focus on the SECurity issues instead
because I think that's the key issue. Fortunately Paul handled the
economic stuff better than I could have.
It sucks that validating ISPs are going to get blamed for validation
failures, but this is a cost that they already absorb for other failures
that they don't control. End users do not have the sophistication to
understand *why* something broke, or even *where*. They just know that
they can't get to where they want to go, and if that happens they
blame/contact the ISP.
What's being suggested with NTAs is that because validation *is*
something that they control, it would be nice to have a knob to easily
disable validation per zone. I get that. But ...
> The
> authority that has screwed up has increased risks that the names they
> are serving can be poisoned which they presumably care about if they
> have bothered to sign (even if they screwed it up). I have some
> faith that if an authority screws up, numerous people will make them
> aware of that screwup.
The problem, and I cannot emphasize this highly enough, is that there is
absolutely no way for an ISP (or other end-user site doing
recursion/validation) to determine conclusively that the failure they
are seeing is due to a harmless stuff-up, vs. an actual security incident.
IOW, if we do this, we might as well just abandon DNSSEC altogether.
> More pragmatically, while I understand the theory behind rejecting
> NTAs, I have to admit it feels a bit like the IETF rejecting NATs
> and/or DNS redirection. I would be surprised if folks who implement
> NTAs will stop using them if they are not accepted by the IETF.
Actually I think what's more likely to happen is that organizations
conclude that validation is not ready for prime time, and turn it off.
And as much as I'm a huge fan of doing validation on the end host, I
think at this stage doing it at the network level is better since at
least at that level there should be sufficient clue to contact the site
about the errors.
Doug
--
If you're never wrong, you're not trying hard enough
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
