Vernon, On Aug 23, 2013, at 11:10 AM, Vernon Schryver <[email protected]> wrote: > They would be better served by `rndc validation off X hours` with > a limit on the "X hours" of 24 than any sort of NTA hook.
So, because one zone messes up signing, instead of opening up that one zone to spoofing attack you think it is better the resolver operator opens up all zones to spoofing attack? This seems wrong to me. > If you don't let them to use `rndc validation off X hours`, most will > use `rndc nta gov` because their users will be shouting about governement > web site problems and they won't have the time, inclination, or > permission to discover that it's only the apod.nasa.gov. I'd suggest that in the BCP/RFC/whatever, in addition to recommending that NTAs be time capped and not written to permanent storage, it should also recommend NTAs be written as specifically as possible. (Should be obvious, but doesn't hurt to reiterate I suppose). Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
