On Wed, Nov 15, 2017 at 9:45 AM, Joe Abley <jab...@hopcount.ca> wrote: > Hi Bob, > > On Nov 15, 2017, at 00:23, Bob Harold <rharo...@umich.edu> wrote: > > If I have to add those entries to each zone, I worry that the automated DNS > appliance that I use might not be able to create the broken records > required. > > Since the implementation of the mechanism requires special handling of > queries whose QNAMEs contain the special labels, I don't see why you would > ever need to add anything to any zone. > > The point of this mechanism is to require no administrator action and to be > on by default, I think.
Yup, *you* should not need to create these records, as long as someone does the testing will work -- e.g if example.com publishes: _is-ta-4f66.example.com _not-ta-4f66.example.com badlysigned.example.com and you can resolve things in example.com you can do the testing. If your appliance has not been upgraded to know about this new technique the result will correctly be "unknown / indeterminate" (Vleg[0]) W [0]: Vleg: A DNSSEC-Validating resolver that does not include this mechanism will respond with an A record response for "_is-ta", an A record response for "_not-ta" and SERVFAIL for the invalid name. > > > Joe > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop