On May 1 2012, Shane Kerr wrote:
[...]
On Wednesday, 2012-04-18 19:52:14 +0100,
Jim Reid <j...@rfc1035.com> wrote:
On 18 Apr 2012, at 19:28, David Conrad wrote:
> If you don't like the policy of your validator operator, change to
> a validator operator whose policy you agree with (or, better yet,
> run your own validator -- it is the only way to be sure). If you
> are not permitted to do this, you have other issues.
+1
Though you've not explained how someone would be able to find out
what was the flavour-of-the-month policy of the validator operator
they were using that day. Assuming the current network's validation
policy was broken (for some definition of broken) would of course be
a wise approach. That probably means everyone runs their own
validator to avoid sucky hotel nets and the like. Which just moves
where NTAs get (mis)configured.
Well, there is perhaps an idea here. If we make NTA something that can
be queried, then you would have this ability. Full transparency seems
good, although in practice I'm not sure anyone would actually use the
facility if it was available.
What would be needed would be a method of finding out about *all*
DNSSEC trust anchors being used, both positive and negative.
And what about DLV? (sorry, Jim)
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
