On Mar 15, 2013, at 11:21 AM, Hugo Salgado <[email protected]> wrote: > > On 03/14/2013 07:44 PM, Joe Abley wrote: >> (Aside: if AS112++ servers were happy to slave the zone, e.g. from ICANN, we >> could sign it and install a DS RRSet in the ARPA zone. This would have the >> side benefit that we could track from ICANN's distribution masters who is >> retrieving the zone, and hence where the AS112++ operators were. So, this is >> also AS112 with DNSSEC, and it's measurable.) >> > > Also has the benefit of penalizing when a slave becomes stalled, > going bogus when signatures expires. > > A resolver which falls in a bogus nameserver should try with the > next one. So I think the organisations should host only one NS of the > complete set, giving the chance of diversity.
It feels like there are two distinct issues here. If the signatures expire, all copies of those records will be affected, so diversity of name servers won't help. Diversity of name servers is certainly helpful in countering operational failures of equipment or network connectivity. Steve _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
