pe> If NASA borks their DNSSEC, the large recursive resolvers eat huge pe> customer support costs but NASA is mostly unscathed (and may not pe> even notice immediately). So the incentive to do better pe> operationally is light for NASA but the resolver operators have very pe> little leverage to encourage them to do better.
dukhovni> That was true then, but the pain felt by auth server operators dukhovni> has growing a bunch as over time more of the world is doing dukhovni> validation. Which is actually impeding DNSSEC for domains where outages of DNS instantly cause revenue issues. Knowing you're off the air in a significant part of the world means a good deal of the alexa 1000 still won't sign their "money" domains. NTAs as a option (along with public "flush this domain" for large recursives) blunt the arguments of DNSSEC haters that DNSSEC is too fragile for valuable domains. Not saying NTAs are wonderful. Just saying that they are a necessary evil until we have better DS handling, key rollover software, industry experience in operations. We did it (mostly) with certs and HTTPS and we can do it with DNSSEC, but we're not there yet. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
