On Sat, May 9, 2015 at 8:50 PM, Evan Hunt <e...@isc.org> wrote: > On Sat, May 09, 2015 at 03:08:11PM +0200, Warren Kumari wrote: >> "It is RECOMMENDED that implementations warn operators (or treat as an >> error) if they attempt to add an NTA for a domain that has a >> configured positive trust anchor." > > You still need to say what happens if the implementation decides to warn > instead of treat it as an error. > > Actually, weirdly enough, after I implemented NTA's in BIND, one of the > very first applications somebody came up with for them was to temporarily > disable DNSSEC validation by setting an NTA for ".". This was seen as > better than "rndc validation off" because he didn't have to send "rndc > validation on" afterward; it would just quiety switch itself back on > after a minute. It's... actually a pretty clever hack, and I don't > really want to disable it. > > May I suggest: Yes, yes you may...
> "An NTA placed at a node where there is a configured > positive trust anchor takes precendence over that trust anchor, effectively > disabling it. Implementations MAY issue a warning when this occurs." and I'll go "Yay! Good text" and copy and paste it into the doc.... and that's what I did.... DONE. W > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
