On Feb 17, 2013, at 10:35 AM, Joe Abley <jab...@hopcount.ca> wrote: > - hopcount.ca's signer explodes (or something else happens such that > hopcount.ca is badly signed) > - since hopcount.ca is such a popular domain for Comcast customers, Comcast > DNS engineers take the time to discover that the validation failure for that > zone is in fact due to an operational problem and not an attack > - Comcast adds a hopcount.ca.nta.comcast.com zone, which is signed > - Comcast's validators pick up the NTA from that zone and configure > themselves accordingly
Yes. Although I think you can just sign nta.comcast.com, and have hopcount.ca.nta.comcast.com be some record in that zone, rather than making it an SOA. For extra credit, you could even make it a ZSK that could be used to validate the zone, in cases where the ZSK rollover was flubbed, but the zone is in fact signed and the ZSK it was signed with is known, and known to be good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
