srose> Should there be text describing auto-adding of NTA's based on srose> important domains (for the ISP/resolver's definition of srose> important)? So that domains that are used by low level services srose> don't fail that also aren't normally visible to end users? One srose> example is nist.gov. When nist.gov messed up and went DNSSEC srose> BOGUS, time.nist.gov was unreachable by validating resolvers.
warren> Sorry, but to me this sounds like a bad idea -- you should find warren> out that you "not normally visible to end users" failures are warren> happening because your network monitoring system goes "Beep Beep warren> Beep" when low level important services die. The NOC then goes warren> off and investigates and discovers that e.g the NTP monitor it warren> sad because time.nist.gov is unresolvable. warren> At this point there really needs to be a *human* in the loop to warren> decide what to do, if the failure really *is* a DNSSEC failure warren> and, more importantly, if installing an NTA is the right answer. I'd hope it would be good operational sense for folks to have automated checks of critical things and checks of DNS logs for DNSSEC validation failures and that we shouldn't have to spell that out. But do we want to at least have a mention of doing such kinds of checks as a better way of noticing DNSSEC failures than pissed off customers or puzzled NOC folks? I do agree that we should not be inserting NTAs automatically for anything. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
