On 2/16/13 6:32 PM, "Ted Lemon" <ted.le...@nominum.com> wrote:
>> I'm confused where you drew the reference to 5280 from (or X.509). I >>don't see anything in the draft that concerns publication or automatic >>retrieval of NTAs from elsewhere; which section did I miss? > >Sorry, I was one RFC deeper in the reference tree than I thought. The >draft that Jason's draft references is RFC5914, not RFC5280, in Section >7. RFC5914 in turn references RFC5280. :) A Negative Trust Anchor should IMO be locally configured and not rely upon any external validation or sourcing for the Negative Trust Anchor(s). It basically tells the recursive resolver to not perform (skip) DNSSEC validation on a specific domain name for which a Negative Trust Anchor has been locally configured. Since it would be locally configured it should not rely on the CA infrastructure at all, and all of the inherent issues of that - or need to rely on certificate revocations and whatnot. Also, if a domain has already messed up their DNSSEC signing operations, it is unlikely they'd figure out a way to properly sign a Negative Trust Anchor or anything else for that matter. I hope that helps, assuming of course that I understood the question relating RFC5280 to this I-D. :-) Jason _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
