On 2/18/13 4:56 PM, "Mark Andrews" <[email protected]> wrote: >In message <[email protected]>, Olafur Gudmundsson writes: >> Jason, in section 10 you talk about possible early removal the NTA when >>validation succeeds but there may be instances where validation succeeds >>when using a sub-set of the authoritative servers thus NTA should only >>be removed if all servers are providing "good" signatures. > >Why? This is no different to a server being down. Validators are >expected to ignore bad answers so a conforming resolver will find >the working copies of the zone.
I suppose it is sometimes hard to verify - as each auth NS must be checked. It is a corner case, but seen in the wild. I'll take a stab at trying to address it, and if you think it goes into too much detail or is too obvious, please say so. :-) > >>What this is bringing to my mind is maybe you want a new section with >> guidelines on how to test for failures and in what cases failure >> justifies NTA and what tests MUST pass before preemttive removal of an >> NTA. Also should there be guidance that removal of NTA should include >> cleaning the caches of all RRsets below the name? >There are lots of ways to stuff up DNSSEC. There are different steps >that can be taken to cleanup after such stuff ups. We don't need to >describe those steps. Quite so! I think this can be addressed simply in one or two sentences. If it seems unnecessary (as above) once I add it, say so. Thanks! Jason _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
