At Tue, 12 May 2015 11:44:28 +0200, Warren Kumari <war...@kumari.net> wrote:
> > In BIND, NTA's are set by an rndc command, but in other implementations > > they might be set up in a config file. If you have both a TA and an NTA > > for the same node in the same configuration, that would be sensible to > > warn about; it's the sort of oddity that might have been unintentional. > > "An NTA placed at a node where there is a configured positive trust > anchor MUST take precendence over that trust anchor, effectively > disabling it. Implementations SHOULD issue a warning or informational > message when this occurs, so that operators are not surprised when > this happens." In the sense of (my understanding of) Evan's point, it would probably be even better if we explicitly clarify the coexistence of positive and negative anchors should be allowed. So how about: An implementation that supports NTA SHOULD allow users to configure both positive and negative trust anchors for the same name at the same time. In this case, the NTA MUST take precedence over that positive trust anchor, so the NTA can be used as a way to disable DNSSEC validation for a specific name space temporarily. Implementations MAY issue a warning or informational message when this occurs, so that operators are not surprised when this happens. (btw, my Emacs noticed a typo in the original text and I fixed it above: s/precendence/precedence this fix should be applied even if my proposed text is rejected) -- JINMEI, Tatuya _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
