On Feb 17, 2013, at 10:44 AM, Joe Abley <joe.ab...@icann.org> wrote: > If there was a way to publish NTAs in the DNS, I would think unbound running > on my laptop could behave the same way as unbound running on a stack of > servers in a data centre. Whether or not I configure my laptop-resident > unbound to look for such NTAs is surely up to me. > > I don't really understand the motivation for the MUST NOT above.
If this is informational, then it doesn't make sense to say MUST NOT anyway. I think there could be a debate: is there a way to subscribe my resolver to the ISP's NTA zone, or not? The advantage of subscribing is that I get information that helps me to deal with brokenness. The disadvantage is that I am configuring my validating resolver so that a bad guy who works for my ISP could arrange to send me bad data. I think it would be perfectly fine to just document this issue in the security considerations section. It's going to require a positive action to configure my host's validating resolver to do this anyway, which most users will not know how to do. It's also possibly worth mentioning social engineering attacks on the end user as a risk if such a capability is present in a host-based validating resolver. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
