Inline
On 4/11/12 10:16 AM, "Tony Finch" <d...@dotat.at> wrote: >Griffiths, Chris <chris_griffi...@cable.comcast.com> wrote: >> On Apr 10, 2012, at 8:11 PM, Wes Hardaker wrote: >> >> > Suggested rewrite: >> > >> > Furthermore, a Negative Trust Anchor MUST only be used for a >> > short duration, perhaps for a day or less. >> >> Agreed. Maximum time supported makes sense to me. > >This only makes sense if the negative trust anchor is for a third party >domain. There are situations where it makes sense to use negative trust >anchors covering your own domains, and these might be necessary for a >long period of time (because that would require a difficult upgrade or >extensive renaming). There are more use cases than just the NASA screwup >scenario. True. We had an issue with one of our own domains that has persisted longer. So I think this argues agains an maximum duration for all NTAs, and simply some TTL that the DNS admin can set (which could vary by domain). The other alternative is to leave this question completely to implementers, where some will set a max duration for all NTAs, others will choose a TTL that varies by domain, and others still may not specify any times (in force until removed). Jason _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
