Moin! Not to answer anyone specific, as a lot of people seemed to spend their weekend commenting on this and I don't want to increase the incoming mail folders too much.
In general I agree with what David Conrad said, but want to spare you of a couple of +1 mails and just want to add some remarks. We are still talking about the draft submitted by Jason Livingood which just describes negative trust anchors which are available in validators today. We are not talking about creating a list or technology to distribute negative trust anchors, although this may be an idea at least as good as DLV. The current use case for DNSSEC is protection of cache poisoning for resolvers (been there and therefore want DNSSEC), and while there is a great potential for security applications using DNSSEC once it is widely deployed, we need to have that deployment first and that will not happen in one day, but rather will be a gradual rollout when looked at it from a global perspective, or even within regional markets. So operators rolling out DNSSEC always will be in competition with operators who don't have it. And the average end user will never understand the difference between the two, no matter how good you market it. He will only understand I can get there with X and can't get there with Y. Which means that in order to not loose customers operators have to install procedures for dealing with failures and if the procedure is turn it off completely and this happens a couple of time upper management will ask why a technology that has to been turned off from time to time and does work when turned off is needed at all. And turning it off completely will get more management attention than deploying a NTA for just a failed domain especially if there is a worked out process in operations. If I look at what failures have happened during DNSSEC deployment, which granted is early, but so far also mostly done by professionals earning there money with DNS software or services I see the following (I'm not claiming this list is complete): - TLD failures more than once - Interoperability problems - Different interpretations of RFCs - Different levels of liberalism in what to accept - some public visible domains failing I don't believe that further deployment will be without errors, and as said a lot of times the cost of these errors will be on the validator operators. So in order to get them to deploy DNSSEC we have to give them tools to deal with errors. If the IETF or this group wants to ignore these operational facts and not give new people guidance on how to deal with them, and do nothing is not an acceptable advise here, I doubt that a lot of people will adopt DNSSEC or move back after the first or second failure and that would not the be outcome I would want. So long -Ralf --- Ralf Weber Senior Infrastructure Architect Nominum Inc. 2000 Seaport Blvd. Suite 400 Redwood City, California 94063 [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
