On Apr 11, 2012, at 6:02 AM, Ralf Weber wrote: >> Suggested rewrite: >> >> Furthermore, a Negative Trust Anchor MUST only be used for a >> short duration, perhaps for a day or less. Implementations MUST >> require an end-time configuration associated with any negative >> trust anchor. Implementations SHOULD limit the maximum time into >> the future to one day. In other words, the configuration >> directive will be invalid if it is missing an end-time or if the >> end time is greater than "now" plus 86400 seconds. > > I disagree with that. I have seen misconfigured domains that where > misconfigured on error for a much longer time. Also process wise if the > negative trust anchors automatically get removed from the server and the > domain is still misconfigured it will go off again for the resolver operators > customers. The addition and the removal of a negative trust anchor should be > a process in the operators network and not an automation in software.
Two comments: a) If end-time is specified as a date, not an interval, you can set the date to be 'end of epoch', so you can basically have it 'stay forever', even if thats not advised: which would make me think the proper approach is 'it SHOULD/MUST be a warning when a negative trust anchor with duration longer than 1 day from current time is installed", but allow it to be installed. If an option allows someone to really shoot themselves in the foot, and a >1 week negative trust anchor should probably be considered that, even if allowable it should be warned. b) Actually, I think it should also be auto removed once the condition is fixed: Continue to attempt to validate the zone in question. When the zone validates again, the default behavior should be to automatically remove the negative trust anchor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
