On 2013-02-17, at 10:48, Ted Lemon <ted.le...@nominum.com> wrote: > On Feb 17, 2013, at 10:35 AM, Joe Abley <jab...@hopcount.ca> wrote: >> - hopcount.ca's signer explodes (or something else happens such that >> hopcount.ca is badly signed) >> - since hopcount.ca is such a popular domain for Comcast customers, Comcast >> DNS engineers take the time to discover that the validation failure for that >> zone is in fact due to an operational problem and not an attack >> - Comcast adds a hopcount.ca.nta.comcast.com zone, which is signed >> - Comcast's validators pick up the NTA from that zone and configure >> themselves accordingly > > Yes. Although I think you can just sign nta.comcast.com, and have > hopcount.ca.nta.comcast.com be some record in that zone, rather than making > it an SOA.
Yes, that's the kind of thing I had in mind. > For extra credit, you could even make it a ZSK that could be used to validate > the zone, in cases where the ZSK rollover was flubbed, but the zone is in > fact signed and the ZSK it was signed with is known, and known to be good. That sounds fancy! Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
