On Fri, Aug 23, 2013 at 04:02:47PM +0000, Vernon Schryver wrote: > On the contrary, given minimal cover such as an RFC, corporate types > at eyeball networks will mandate add-only NTA lists that only grow and > never lose entries.
Obviously that's possible, but IIRC the draft requires that NTA entries have limited (and short) lifetimes. If we decide to implement this in BIND (it's on our roadmap, but with a question mark), I expect the NTA lifetime will default to an hour and be capped at a day. NTAs would be inserted via the control channel (rndc) rather than a configuration file change, and wouldn't persist across system restarts. An operator could write a script to continually insert the same NTA's over and over again forever, but it would be easier to allow them to lapse as intended. I was against NTAs when they were first proposed; I've come around. Disabling validation because of signing failures is the wrong thing to do, but people are going to do the wrong thing whether I like it or not, and if we must choose between evils, I prefer "rndc validation off nasa.gov" to "rndc validation off". -- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
