Mark, On 12.04.2012, at 14:21, Marc Lampo wrote: > > It holds an alternative possibility to overcome the problem > > - for operators of validating name servers - of failing domains > > because of DNSSEC. > > > > The alternative is to have a parent regularly (no frequency defined) > > check the coherence of DS information they have against DNSKEY > > information it finds published. > > If the parent detects "security lameness" (term used in RFC4641bis) > > its possible reaction could be to remove the DS information.
=> From my experience, "active parenting" is not a good practice. Specifically in this case, you are assuming that the parent knows the algorithms used for the DS record. He would have to in order to validate. That might not always hold true. Additionally, the record is not 'yours', it is just parked in your zone by the child. For the parent to Tamper with either the NS or DS is IMHO not a good practice. /S _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
