On Feb 17, 2013, at 7:37 AM, "Livingood, Jason" <[email protected]> wrote:
> Makes sense to me. So if I added very explicit text to the effect that > "Negative Trust Anchors MUST NOT be used by host-based DNSSEC validating > DNS resolvers; this practice only pertains to network-based DNS recursive > resolvers that multiple hosts query." would that do it? Please: no. If I have local validation turned on for my own host, and there is a site I need to get to but it has broken signatures, I would like a GUI that says "this zone has broken signatures; ignore validation failures for 60 minutes?". There is no operational difference between a host that validates and a validating recursive resolver that has exactly one customer that is looking at the one broken zone. --Paul Hoffman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
