Jason, On Tuesday, 2012-03-27 15:19:23 +0000, "Livingood, Jason" <[email protected]> wrote: > I posted a –01 a short time ago > (http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01) > and listed this in open items for the next version. I may have some > questions on the best way to include that.
I like this idea; it was something I planned on including in BIND 10 for a while, although we've got other higher-priority things to add first (like DNSSEC validation). ;) One tiny bit: Furthermore, a Negative Trust Anchor should be used only for a short duration, perhaps for a day or less. While for larger ISPs a top-100 approach makes sense, and so a 1 day fix is reasonable to expect, other operators will have other concerns. For example, you may have a distributor for your business that has a crappy IT department and simply can't get their zones fixed in a reasonable time, or you may have a department at your university that is literally gone for the summer. The approach I had planned on taking is simply to require that an administrator specify the ending time of the Negative Trust Anchor. If they want to, of course they can put 30 years (or perhaps however much time is left until their retirement), but at least they would have had to think about the issue! -- Shane _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
