Jason,
I read the draft and like the direction of it.
It looks like you are proposing turning off a validation for domain by
the negative trust anchor.
An alternative is to insert a negative trust anchor for a particular
trust anchor.
In the first case there is an action required by the validator operator
to remove the negative trust anchor, but in the second case once an
alternate trust anchor is available then the domain starts validating
again.
Olafur
On 26/03/2012 03:57, Livingood, Jason wrote:
I just posted a –00 of a draft that may be of interest to this WG. It
covers an issue we have found in our DNSSEC deployment. My co-author is
doing some markup of the doc now so I am hoping to post a –01 before the
end of this week. (I've already found some minor typographical and
grammatical errors.)
http://www.ietf.org/id/draft-livingood-negative-trust-anchors-00.txt
Feel free to share any other questions or feedback.
Regards,
Jason
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
