David Conrad (drc) writes:
>
> I'd suggest that in the BCP/RFC/whatever, in addition to recommending that
> NTAs be time capped and not written to permanent storage, it should also
> recommend NTAs be written as specifically as possible. (Should be obvious,
> but doesn't hurt to reiterate I suppose).
What's wrong with "provide unvalidated results for this zone
until it validates" ? I mean, we're now talking about automation,
scripts to reinsert NTAs, etc. Then we might as well implement
the logic to continually test validation for SOA or some other
specified record for the given zone, and reenable validation.
So instead of calling it NTA call it validation policy - the DNSSEC
equivalent of IPSEC's "required" vs. "use" policy setting. Yes, we
all know how succesful opportunistic encryption was. Yes, some are
going to scream, but much better than nailing down an NTA ad vitam,
or tracking TTLs, or which DS is active, or...
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
