> From: Tony Finch <d...@dotat.at>
> It is an interesting draft and I can see why the problem concerns you. The 
> dummy DS is a clever work-around, but it is a pity about the validation bug 
> in Google public DNS.

Thanks. I'm not sure that the validation error is a bug or not.

> I wonder about the possibility of adjusting the rules for caching 
> delegations. Would it make sense to remember that a referral is insecure for 
> the lifetime of the NS RRset, instead of the lifetime of the negative DS 
> answer?

This idea requires updating RFC 2308.

I'm afraid that when newly registered DS RR will be used if the
negative DS answer is cached.

--
Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp>

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to