On 2011-06-02, at 13:17, João Damas wrote: > at first glance it might look useful, but this is the kind of info that tends > to go stale and then what do you do when there is a mismatch?
I guess you flag it for manual investigation. The alternative is that you don't really know when a situation is actually bad until the signature expires, and it'd be nice to have some early warning. I could maintain a manual table of what "bad" means for particular zones based on observation, but that seems even more likely to become stale. > Would you invalidate a still-valid signature if it doesn't conform to policy > in case someone else is signing the zone other than the authorised party? Nope, but (especially in these early days of deployment) perhaps it might merit a note to an administrator, or a heads-up to a public list. > Would you send mail to the zone admin? (and knowing the people on this list, > that would be a lot email on top of that admin) :) > > Shouldn't this sort of admin work be done by the admin, either internally or > by outsourcing to some other organisation? I guess my point is that unless you're the person involved in signing a particular zone, telling when there's a signature expiration problem looming is not easy. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
