On Feb 17, 2013, at 7:00 AM, "Livingood, Jason" <jason_living...@cable.comcast.com> wrote:
> 1. Determine whether RFC 2119 language should be used or not when > describing things like the duration of a NTA. I never understood why one would have 2119 language in an operational document that says "here's a good idea for how to help your operations". Well, other than "people have used that language before", which is kinda an addictive response. > 2. Determine whether this is an individual I-D or a DNSOP WG I-D. It definitely seems related to DNS operations. > 3. Determine whether this is Informational or a BCP. Informational. Given that it is a new proposal, where's the "C"? > 4. The DNSOP WG should discuss whether a 1 day limit is reasonable, > whether a different time (more or less than 1 day, such as 1 hour or 1 > week) should be specified, or whether no time should be specified (just a > recommendation that it SHOULD generally be limited to X). Or a different proposal: "Your operations staff needs to determine how long is too long to allow a broken zone that could be also under attack, and how short is too quick for your operations staff to reassess the problem and remove the NTA; pick a value between those two". > 5. The DNSOP WG should discuss how to assess when critical DNSSEC > deployment mass has been achieved so that this is no longer a common > practice. Start by saying "three years" and see what people think. > 6. Olafur Gudmundsson has suggested that we may want to consider whether a > non validatable RRSIG should be returned or not when a NTA is in place. > This was raised in the context of NLnet Labs' DNSSEC-Trigger, which > apparently acts like forwarding stub-validator. He said, "The reason for > this is if NTA strips signatures the stub-validator thinks it is under > attack and may a) go into recursive mode to try to resolve the domain, > getting to the right answer the long way. b) Give the wrong error "Missing > signatures" instead of the real error. If all the validator does is not to > set the AD bit for RRsets at and below the NTA, stub-resolvers (and > cascading resolvers) should be happy." That sounds right. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
