Jason, in section 10 you talk about possible early removal the NTA when
validation succeeds but there may be instances where validation succeeds
when using a sub-set of the authoritative servers thus NTA should only
be removed if all servers are providing "good" signatures.
Furthermore what to do if some names work but others do not, for example
I remember a case where the records at the apex worked but all names
below the apex were signed by a key not in the DNSKEY RRset, thus it is
possible that either human or automated checks may assume there is no
problem when there actually is one.
What this is bringing to my mind is maybe you want a new section with
guidelines on how to test for failures and in what cases failure
justifies NTA and what tests MUST pass before preemttive removal of an NTA.
Also should there be guidance that removal of NTA should include
cleaning the caches of all RRsets below the name?
Olafur
On 17/02/2013 10:22, Livingood, Jason wrote:
Based on feedback yesterday on the list, I did a quick –04 update, which
is now at
https://datatracker.ietf.org/doc/draft-livingood-negative-trust-anchors/.
The are seven open issues documented at the end of the I-D. But the most
important questions for this WG are:
1 – Is this worth consideration as a WG I-D or should it continue only
as an individual I-D?
2 – If the answer to #1 is that it should be a WG I-D, would you like a
brief discussion of the open issues at IETF 86?
Thanks!
Jason
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
