On Wed, Nov 15, 2017 at 9:45 AM, Joe Abley <jab...@hopcount.ca> wrote:
> Hi Bob,
>
> On Nov 15, 2017, at 00:23, Bob Harold <rharo...@umich.edu> wrote:
>
> If I have to add those entries to each zone, I worry that the automated DNS
> appliance that I use might not be able to create the broken records
> required.
>
> Since the implementation of the mechanism requires special handling of
> queries whose QNAMEs contain the special labels, I don't see why you would
> ever need to add anything to any zone.
>
> The point of this mechanism is to require no administrator action and to be
> on by default, I think.

Yup, *you* should not need to create these records, as long as someone
does the testing will work -- e.g if example.com publishes:
_is-ta-4f66.example.com
_not-ta-4f66.example.com
badlysigned.example.com

and you can resolve things in example.com you can do the testing. If
your appliance has not been upgraded to know about this new technique
the result will correctly be "unknown / indeterminate" (Vleg[0])

W

[0]: Vleg: A DNSSEC-Validating resolver that does not include this
      mechanism will respond with an A record response for "_is-ta", an
      A record response for "_not-ta" and SERVFAIL for the invalid name.


>
>
> Joe
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to