>>>>> On Wed, 11 Apr 2012 13:40:23 +0200, Shane Kerr <sh...@isc.org> said:
SK> For example, I know someone who regularly forgets to re-sign his zones. SK> Yes, he knows he should set BIND up to re-sign them automatically or SK> perhaps use zkt, but that takes time and it's just his own vanity SK> domain. Personally I would like to set a negative trust anchor for his SK> zones until such time as he sets something like this up, since I know SK> that the signatures will expire in a few months and break the zone for SK> me at that time. I'm sure ISC could stand up a helpful service to the world called DLNV that could keep your friends zone permanently registered in it. If we're going down the broken-trust-anchor road, we might as well consider a dynamic-lookup mechanism. You know it's coming. SK> Plus, I know it is surprising to folks on this list, but some zones do SK> not have full time administrators, and may have to wait until admin SK> staff get back on Monday morning until they are fixed - or perhaps even SK> until the one "computer guy" at a company gets back from vacation. I'm not sure that installing a permanent "don't ever validate this" configuration token is a good thing for that situation. If a zone is signed and fails validation because of lack of responsibility then the zone needs to be broken. We don't, for example, provide a "for this zone, the real name servers are actually somewhere.else.example.com because the zone operator is on vacation and didn't update the registry". We could. We could offer "use this instead for A, AAAA, MX, DS, ...". A slippery slope this way comes. -- Wes Hardaker SPARTA, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
