On 03/14/2013 07:44 PM, Joe Abley wrote: > (Aside: if AS112++ servers were happy to slave the zone, e.g. from ICANN, we > could sign it and install a DS RRSet in the ARPA zone. This would have the > side benefit that we could track from ICANN's distribution masters who is > retrieving the zone, and hence where the AS112++ operators were. So, this is > also AS112 with DNSSEC, and it's measurable.) >
Also has the benefit of penalizing when a slave becomes stalled, going bogus when signatures expires. A resolver which falls in a bogus nameserver should try with the next one. So I think the organisations should host only one NS of the complete set, giving the chance of diversity. Hugo _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
