Scott, On Apr 16, 2012, at 4:52 AM, Scott Schmit wrote: >> Given the implicit assertions associated with NTA (specifically, that >> the validator operator is asserting that the zone in question is not >> being spoofed despite the fact that validation is failing), I have >> some skepticism that folks will let stuff like this 'junk up NTA >> lists'. > > Please explain how operators will prevent this, and why they can afford > to remove a zone from the NTA list (while it is still failing) but > couldn't afford to leave it off the list in the first place.
I would assume operators will keep NTAs alive until the zone owner fixes things. You appear to be assuming zone owners will leave brokenness in place. In the case of popular zones (which would be the most likely candidates for NTAs since end users would notice the brokenness and complain to the validator operator), I'd imagine there would be some pressure to fix things, either by pulling the DS or by remedying whatever booboo caused the problem to begin with. My impression is that those who are arguing against NTAs believe that NTAs reduce that pressure. I'd agree with this to some extent, however I suspect because of the indirect nature of the failures, the vast majority of complaints the zone owner will receive will come from validator operators, not end users. > No, I'm talking about a targeted use of the controversial practice of > returning spoofed results redirecting the user to another host. An interesting idea, albeit I'm actually unsure which is less appealing architecturally speaking. For others against NTAs, is the use of redirection as Scott suggests preferable? Regards, -drc _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
