On Aug 22, 2013, at 5:06 PM, Paul Vixie <[email protected]> wrote: > i just find it indescribable that a content owner who signs their zone as a > means to protect themselves against corruption in their secondary servers, > can have that tool taken out of their hands by a distant resolver operator > who uses NTA to keep their own phone from ringing.
They already have that regardless of NTA. In BIND configuration language it's: dnssec-validation no; NTA simply gives the resolver operator the ability to limit the damage to a single zone instead of ALL zones. > what i would like in local policies like nta or dlv which seek to be > distributed and scalable is, A local policy pretty much by definition is not supposed to be distributed and scalable. Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
