Paul, On Apr 18, 2012, at 11:08 AM, paul vixie wrote: > DNSSEC currently presumes reliable end-to-end failure, and offers no way > to signal other conditions.
True, in the sense that either a name (and the entire chain leading to that name) validates or it doesn't. > NTA will change > that, by adding middlemen who can decide as a matter of their own policy > to just ignore these bad or missing signatures and pass your data to > their stub clients as though DNSSEC had not been in use. No. NTA is not adding middlemen. The way the vast majority of the DNS is implemented, namely stub communicating with a remote validator, there already exists middlemen. They're called the validator operators. NTA is allowing those middlemen to implement policies that meet their business requirements. Their validator, their rules. If you don't like the policy of your validator operator, change to a validator operator whose policy you agree with (or, better yet, run your own validator -- it is the only way to be sure). If you are not permitted to do this, you have other issues. Regards, -drc _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
