Moin! On 17.02.2013, at 16:35, Joe Abley <jab...@hopcount.ca> wrote:
> The use case here is not people who have messed up signing their zones > publishing an NTA; it's validator operators who need a convenient way to > share their validation policy. > > So, to spell it out: > > - hopcount.ca's signer explodes (or something else happens such that > hopcount.ca is badly signed) > - since hopcount.ca is such a popular domain for Comcast customers, Comcast > DNS engineers take the time to discover that the validation failure for that > zone is in fact due to an operational problem and not an attack > - Comcast adds a hopcount.ca.nta.comcast.com zone, which is signed > - Comcast's validators pick up the NTA from that zone and configure > themselves accordingly That sounds like a negative DLV to me. I think DLV was a bad idea and I don't think this is a good idea either when you are crossing organization boundaries. I guess it is ok when used inside a provider as mechanism to distribute NTA, but then it doesn't need be in that document. So long -Ralf --- Ralf Weber Senior Infrastructure Architect Nominum Inc. 2000 Seaport Blvd. Suite 400 Redwood City, California 94063 ralf.we...@nominum.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
