pebersman> Have you actually read through the new draft? It specifically pebersman> prohibits automatic installation of NTAs and says that you pebersman> should have folks familiar with operating DNS servers making pebersman> any decisions.
pwouters> That's my problem with the document. It describes a local pwouters> policy that a site might have. And documents three software pwouters> implementations on how to make such a negative trust pwouters> anchor. Is that what an IETF document should do? And documents the reason why it's needed and where and how it does and does not apply, and when to use them. That sounds informational to me. It never claims that everyone will use these but does document what how to do it responsibly if you do find it useful. If you don't find all this in the draft, point out what's missing. If what you are saying is that you don't find the idea of NTAs useful to you, that's your privilege but it doesn't make it useless to others. pebersman> That isn't painless. It means that this skips past all 1st pebersman> tier and gets to senior engineers. Don't know about you but I pebersman> hate getting on-call problems caused by someone else that I pebersman> have no direct way to fix but that my customers beat me for. pwouters> I did not get from reading the draft how I suddenly get much pwouters> better engineering contacts with big players. I think you're confusing the domain owner and the user of the NTA. My statement above was that the user of the NTA needs to have engineers who understand and run DNS servers making decisions of when to use the NTA. It doesn't attempt to mandate what kind of engineers or contacts the owner of the borked domain has. Sadly, if the DNSSEC validation is broken, it's usually because they don't have experienced folks running their DNS. Or did I not understand your question/objection here? pwouters> In fact, the draft tells me the NTA's I create should not be pwouters> distributed outside my administrative domain. Right. And you, as the person responsible for running your admin domain should be sure that whoever is making decisions about using or not using an NTA for some broken domain elsewhere outside your admin domain is someone who actually understands DNS, can correctly confirm that the domain is misconfigured, etc. pwouters> So I'm confused. What is the goal of this document? How does pwouters> it help us? If you are not running a large recursive caching DNS farm, doing DNSSEC validation and with lots of users who can/will call you when things break, this may not be compelling to you. Not every RFC is relevent or useful to everyone on the internet. If you are running such a DNS farm and you haven't already had this issue, I'd be very surprised. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
