On 03/15/2013 03:34 PM, Steve Crocker wrote: > > On Mar 15, 2013, at 11:21 AM, Hugo Salgado <[email protected]> wrote: > >> >> On 03/14/2013 07:44 PM, Joe Abley wrote: >>> (Aside: if AS112++ servers were happy to slave the zone, e.g. from ICANN, >>> we could sign it and install a DS RRSet in the ARPA zone. This would have >>> the side benefit that we could track from ICANN's distribution masters who >>> is retrieving the zone, and hence where the AS112++ operators were. So, >>> this is also AS112 with DNSSEC, and it's measurable.) >>> >> >> Also has the benefit of penalizing when a slave becomes stalled, >> going bogus when signatures expires. >> >> A resolver which falls in a bogus nameserver should try with the >> next one. So I think the organisations should host only one NS of the >> complete set, giving the chance of diversity. > > It feels like there are two distinct issues here. If the signatures expire, > all copies of those records will be affected, so diversity of name servers > won't help. >
But the expiration affects only the instance that went stalled. The rest of correctly-slaved secondaries should maintain fresh signatures. Hugo > Diversity of name servers is certainly helpful in countering operational > failures of equipment or network connectivity. > > Steve > > > _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
