Moin! On 12.04.2012, at 14:21, Marc Lampo wrote: > It holds an alternative possibility to overcome the problem > - for operators of validating name servers - of failing domains > because of DNSSEC. > > The alternative is to have a parent regularly (no frequency defined) > check the coherence of DS information they have against DNSKEY information > it finds published. > If the parent detects "security lameness" (term used in RFC4641bis) its > possible reaction could be to remove the DS information. It is something completely different and I certainly welcome TLDs doing that. But it's not an alternative it's an addition. Someone who wants to operate DNSSEC aware resolvers that validate today must have the ability to deploy negative trust anchors IMHO.
> The draft of Negative Trust Anchors does not mention anything about > informing the operator of the failing domain. > But since a parent domain operator should "know" who operates the > child domains, they can also actively inform (eg. send email to registered > contact person). That way, somebody can start working on correcting > the root cause. Agreed, we should amend section 7 with steps to do when a negative trust anchor is discovered and that should be one of them. So long -Ralf --- Ralf Weber Senior Infrastructure Architect Nominum Inc. 2000 Seaport Blvd. Suite 400 Redwood City, California 94063 [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
