Thanks for the comments and input. bcampbell> Can an operator be reasonably expected to be able to confirm bcampbell> that a domain is being operated by its rightful owner?
A fair amount of the time, yes. I run the DNS team for Comcast and we've had pretty good luck getting to zone owners. Better than I'd expected, to be honest. bcampbell> This seems to favor erring on the side of keeping the NTA. I bcampbell> think security would suggest erring on the side of removing bcampbell> the NTA. Operationally painful without a noticable improvement in security. Checking that the FQDN now validates would be done the same way it was done initially, so we should have the same confidence level that an NTA is still or is now not necessary. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
