On 23 Aug 2013 at 19:54, UFJORw== wrote: > NTA is a way to turn off DNSSEC for a single domain instead of > having to go completely insecure, like some did a few days ago > during the gov algorihm rollover screw up (BTW shutting DNSSEC > validation down to have at least their own domain working was not > the best thing to do: temporarily adding their own KSK to the list > of trust anchors was the way to go (as the most specific key is > prefered by all implementations i know of (despite the stupidity > that is written here : http://tools.ietf.org/html/rfc6840#appendix-C > )))
Ummm. No. Not all of our domains are necessarily signed or in a signed tree. The .gov screw-up broke secure and insecure delegations from .gov. I considered all this as I watched the .gov DNSKEY RRSet TTL count down in those caches which still had it before recommending we disable validation until it could be corrected. Having your TLD screw up DNSSEC validation is particularly bad... Scott _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
