I read the draft, and I seem to be missing a part where a domain is intentionally insecure. Such a situation might occur f.e. in tools investigating if DNSSEC is working properly from an end user perspective. I can also imagine there are other situations where DNSSEC validation is broken on purpose. So somewhere in section 7 it should state not to use negative trust anchors for domains that are intentionally insecure, though I wonder how this could be signalled (in a secure way).
- -- Antoin Verschuren Technical Policy Advisor SIDN Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:[email protected] xmpp:[email protected] http://www.sidn.nl/ Op 26 mrt. 2012, om 09:57 heeft Livingood, Jason het volgende geschreven: > I just posted a –00 of a draft that may be of interest to this WG. It covers > an issue we have found in our DNSSEC deployment. My co-author is doing some > markup of the doc now so I am hoping to post a –01 before the end of this > week. (I've already found some minor typographical and grammatical errors.) > > http://www.ietf.org/id/draft-livingood-negative-trust-anchors-00.txt > > Feel free to share any other questions or feedback. > > Regards, > Jason > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
