Many others have made the points I would have made about the operational value of NTAs so I won't repeat those... but I want to just say that I think Paul Ebersman nails it here:
On Oct 26, 2014, at 12:09 PM, Paul Ebersman <list-dn...@dragon.net<mailto:list-dn...@dragon.net>> wrote: I see NTA as a tool that we should try to never use but which is invaluable when we do need it. Exactly! Hopefully everything "just works" 99% of the time... but in the event something doesn't work right the operators have a narrow "scalpel" tool in their toolbox that they can pull out rather than resorting to more drastic measures such as, for example, disabling all DNSSEC validation. Ideally NTAs never get used and as DNSSEC deployment moves along and DNS operators get increasingly familiar with the operational practices required of DNSSEC then the need for NTAs will eventually fade away. My agenda in pushing this draft is not to advocate wide spread use but to guarantee that all of my vendors have an RFC to code against so that I have consistent behavior and plenty of server choices for server diversity. Yes! If we have an operational need to have a way to generate DNSSEC validation exceptions, let's please have *one* way that we can collectively agree upon rather than having every different operator come up with some custom mechanism that works only for them. This will make the overall deployment that much easier if the one method is spread across multiple software vendors and systems. My 2 cents, Dan P.S. Nice quote, Warren! -- Dan York Senior Content Strategist, Internet Society y...@isoc.org<mailto:y...@isoc.org> +1-802-735-1624 Jabber: y...@jabber.isoc.org<mailto:y...@jabber.isoc.org> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
