Chris, On Wednesday, 2012-04-11 02:36:59 +0000, "Griffiths, Chris" <[email protected]> wrote: > > > Suggested rewrite: > > > > Furthermore, a Negative Trust Anchor MUST only be used for a > > short duration, perhaps for a day or less. Implementations > > MUST require an end-time configuration associated with any negative > > trust anchor. Implementations SHOULD limit the maximum time > > into the future to one day. In other words, the configuration > > directive will be invalid if it is missing an end-time or if > > the end time is greater than "now" plus 86400 seconds. > > Agreed. Maximum time supported makes sense to me.
This seems like an unnecessary limitation to me. For example, I know someone who regularly forgets to re-sign his zones. Yes, he knows he should set BIND up to re-sign them automatically or perhaps use zkt, but that takes time and it's just his own vanity domain. Personally I would like to set a negative trust anchor for his zones until such time as he sets something like this up, since I know that the signatures will expire in a few months and break the zone for me at that time. Plus, I know it is surprising to folks on this list, but some zones do not have full time administrators, and may have to wait until admin staff get back on Monday morning until they are fixed - or perhaps even until the one "computer guy" at a company gets back from vacation. I'm just saying, requiring some maximum time makes sense, but specifying one that works for large, professional ISPs may not work for everyone. Can we just keep it open? -- Shane _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
