In message <51228dfb.3070...@ogud.com>, Olafur Gudmundsson writes: > Jason, in section 10 you talk about possible early removal the NTA when > validation succeeds but there may be instances where validation succeeds > when using a sub-set of the authoritative servers thus NTA should only > be removed if all servers are providing "good" signatures.
Why? This is no different to a server being down. Validators are expected to ignore bad answers so a conforming resolver will find the working copies of the zone. > Furthermore what to do if some names work but others do not, for example > I remember a case where the records at the apex worked but all names > below the apex were signed by a key not in the DNSKEY RRset, thus it is > possible that either human or automated checks may assume there is no > problem when there actually is one. This is no different than making the decision to add a NTA or not. > What this is bringing to my mind is maybe you want a new section with > guidelines on how to test for failures and in what cases failure > justifies NTA and what tests MUST pass before preemttive removal of an > NTA. > > Also should there be guidance that removal of NTA should include > cleaning the caches of all RRsets below the name? > > Olafur There are lots of ways to stuff up DNSSEC. There are different steps that can be taken to cleanup after such stuff ups. We don't need to describe those steps. > On 17/02/2013 10:22, Livingood, Jason wrote: > > Based on feedback yesterday on the list, I did a quick update, which > > is now at > > > https://datatracker.ietf.org/doc/draft-livingood-negative-trust-anchors/. > > > > > > The are seven open issues documented at the end of the I-D. But the most > > important questions for this WG are: > > 1 * Is this worth consideration as a WG I-D or should it continue only > > as an individual I-D? > > 2 * If the answer to #1 is that it should be a WG I-D, would you like a > > brief discussion of the open issues at IETF 86? > > > > Thanks! > > Jason > > > > > > > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
