On 2/18/13 3:24 PM, "Olafur Gudmundsson" <o...@ogud.com> wrote:
>Jason, in section 10 you talk about possible early removal the NTA when >validation succeeds but there may be instances where validation succeeds >when using a sub-set of the authoritative servers thus NTA should only >be removed if all servers are providing "good" signatures. Excellent point! We have certainly see cases where 2 of 3 name servers are fine and one of them is acting wonky. I will add that to the open issue tracker for a future substantive update! >Furthermore what to do if some names work but others do not, for example >I remember a case where the records at the apex worked but all names >below the apex were signed by a key not in the DNSKEY RRset, thus it is >possible that either human or automated checks may assume there is no >problem when there actually is one. >What this is bringing to my mind is maybe you want a new section with >guidelines on how to test for failures and in what cases failure >justifies NTA and what tests MUST pass before preemttive removal of an >NTA. Good question - will address in a future version as well. >Also should there be guidance that removal of NTA should include >cleaning the caches of all RRsets below the name? I think so, yes. I will add this as well - can't hurt. Thank you, Jason _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
