Olafur Gudmundsson <[email protected]> wrote: > It looks like you are proposing turning off a validation for domain by the > negative trust anchor. > An alternative is to insert a negative trust anchor for a particular trust > anchor. > In the first case there is an action required by the validator operator to > remove the negative trust anchor, but in the second case once an alternate > trust anchor is available then the domain starts validating again.
I think you are assuming that there is some trust anchor with which the broken domain can be validated. But that isn't true for a lot of DNSSEC problems, such as expired signatures or missing signatures. There's another use for a negative trust anchor which is likely to be a long-term setting rather than a short-term fix as the draft describes. Internal private zones often use made-up names. (I have seen horrible things in my mail logs like example.int for Example Corp's internal namespace.) It's usually easier to bodge around this kind of problem than change everything to use a real domain name; we don't want this kind of difficulty to discourage organizations from deploying DNSSEC on their resolvers and public DNS. These internal namespaces are often served by software that doesn't support DNSSEC, so you can't add a positive trust anchor to splice them into the namespace. The documentation for Unbound's domain-insecure option talks about this kind of scenario. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Viking: Variable 3 or 4. Smooth or slight, occasionally moderate later in northwest. Fog patches. Moderate or good, occasionally very poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
