Hi all, This draft has risen from the deep...
It describes a technique that a number of DNS operators use to surgically / tactically deal with DNSSEC validation failures, for large-scale outages. We believe that this is needed -- simply telling customers "This doesn't work though us, but does work through $non-validating-competitor because we are better" simply leads to customers changing to $non-validating-competitor, or operator turning off DNSSEC for everybody. I know that there will be some philosophical objections / discussions on this... W W ---------- Forwarded message ---------- From: <internet-dra...@ietf.org> Date: Thu, Oct 23, 2014 at 1:06 PM Subject: New Version Notification for draft-livingood-dnsop-negative-trust-anchors-01.txt To: Ralf Weber <ralf.we...@nominum.com>, Jason Livingood <jason_living...@cable.comcast.com>, Warren Kumari <war...@kumari.net>, Chris Griffiths <cgriffi...@gmail.com>, Paul Ebersman <ebersman-i...@dragon.net> A new version of I-D, draft-livingood-dnsop-negative-trust-anchors-01.txt has been successfully submitted by Warren Kumari and posted to the IETF repository. Name: draft-livingood-dnsop-negative-trust-anchors Revision: 01 Title: Definition and Use of DNSSEC Negative Trust Anchors Document date: 2014-10-23 Group: Individual Submission Pages: 17 URL: http://www.ietf.org/internet-drafts/draft-livingood-dnsop-negative-trust-anchors-01.txt Status: https://datatracker.ietf.org/doc/draft-livingood-dnsop-negative-trust-anchors/ Htmlized: http://tools.ietf.org/html/draft-livingood-dnsop-negative-trust-anchors-01 Diff: http://www.ietf.org/rfcdiff?url2=draft-livingood-dnsop-negative-trust-anchors-01 Abstract: DNS Security Extensions (DNSSEC) is now entering widespread deployment. However, domain signing tools and processes are not yet as mature and reliable as those for non-DNSSEC-related domain administration tools and processes. Negative Trust Anchors (described in this document) can be used to mitigate DNSSEC validation failures. [ Editor note: This document was originally draft-livingood-negative- trust-anchors-07 - renamved at the request of the DNSOP chairs ] Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop