Moin! On 11.04.2012, at 02:11, Wes Hardaker wrote: > 1) In addition to the following statement: > > Furthermore, a Negative Trust Anchor should > be used only for a short duration, perhaps for a day or less. > > I'd go ahead and insert MUST/SHOULD/MAY language as well (realizing > that if there is a document people will ignore it in, this is likely > to be one). And then add some timing constraints too [reading the > rest of the thread after typing this, I note that Shane also > suggested an end time, but the proposal below also imposes a maximum > end-time allowable]. > > Suggested rewrite: > > Furthermore, a Negative Trust Anchor MUST only be used for a > short duration, perhaps for a day or less. Implementations MUST > require an end-time configuration associated with any negative > trust anchor. Implementations SHOULD limit the maximum time into > the future to one day. In other words, the configuration > directive will be invalid if it is missing an end-time or if the > end time is greater than "now" plus 86400 seconds.
I disagree with that. I have seen misconfigured domains that where misconfigured on error for a much longer time. Also process wise if the negative trust anchors automatically get removed from the server and the domain is still misconfigured it will go off again for the resolver operators customers. The addition and the removal of a negative trust anchor should be a process in the operators network and not an automation in software. > 2) I also suggest you rename the concept to "Negative Anchors of Trust" > and then sprinkle the document with statements like the following: > > NATs are not an appropriate long-term solution and if they need to be > used, they MUST be used only for short periods of time. Again I have a problem with the MUST. As above it should be a SHOULD. So long -Ralf --- Ralf Weber Senior Infrastructure Architect Nominum Inc. 2000 Seaport Blvd. Suite 400 Redwood City, California 94063 ralf.we...@nominum.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
