-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How about this solution:
A truly DNSSEC aware authoritative server should not publish a zone, not even the unsigned records, when validation fails for that zone. That way, if a DNSSEC signed zone is DNSSEC broken, it's also broken for a non-validating resolver, there is no competition issue, and the zone publisher should fix his zone to get it working at all. Who will be the first DNS vendor implementing? :-) - -- Antoin Verschuren Technical Policy Advisor SIDN Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 M: +31 6 23368970 Mailto: [email protected] XMPP: [email protected] HTTP://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJSHKBEAAoJEDqHrM883Agno/wH/jKX6aYUFXz8sD5jia5l1rA2 R1H8+ML/rITw9M2Q/pB8hxZw6ZOOkG//NXGiL9ZpUe0TTGWECEhtyE6Pb6Nrs2cp lXB730UWycEpr/ZnvSFauKdEqtZqCT3IjGJVLSxyLUNk8vedI7JW5wzsH972Aksw mjw/n+a5LdmNpG/88RHedpoun607tP1/y8WOZd0vT4WH8it4mekVph4KebU9IUyk E+X8GkyebnE9DLOXPTBxbb+qIVLK1yg+bH3oPM/DL0EQndbtjbLPvcWx+kCiC5MA wWgfHqWfzjnTEZVdQZ1hgo8jfzcLoTS77oHG3ERbpUqhi6SgblWYXBWprxQGM+c= =Drr7 -----END PGP SIGNATURE----- _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
