Inline below. - JL
On 4/10/12 10:06 AM, "Shane Kerr" <[email protected]> wrote: >Jason, > >On Tuesday, 2012-03-27 15:19:23 +0000, >"Livingood, Jason" <[email protected]> wrote: >> I posted a 01 a short time ago >> (http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01) >> and listed this in open items for the next version. I may have some >> questions on the best way to include that. > >I like this idea; it was something I planned on including in BIND 10 >for a while, although we've got other higher-priority things to add >first (like DNSSEC validation). ;) > >One tiny bit: > > Furthermore, a Negative Trust Anchor should be used only for a short > duration, perhaps for a day or less. > > >While for larger ISPs a top-100 approach makes sense, and so a 1 day fix >is reasonable to expect, other operators will have other concerns. For >example, you may have a distributor for your business that has a crappy >IT department and simply can't get their zones fixed in a reasonable >time, or you may have a department at your university that is literally >gone for the summer. This is indeed an issue we have observed. Here are some recent examples where we've not seen a 1 or 2 day resolution: http://dnsviz.net/d/www.bayfieldelectric.com/T4wofg/dnssec/ http://dnsviz.net/d/www.bayfieldelectric.com/T4wofg/dnssec/ >The approach I had planned on taking is simply to require that an >administrator specify the ending time of the Negative Trust Anchor. If >they want to, of course they can put 30 years (or perhaps however much >time is left until their retirement), but at least they would have had >to think about the issue! I think that is a great approach! And perhaps have a default TTL in there for the NTA of X hours. - Jason _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
