Rubens Kuhl <[email protected]> wrote: > > My feedback to a possible -01 version is to add something related to not > consider NTAs for the upper hierarchy of a failed DNSSEC domain. For > instance, even if I see a good number of .gov domains failed DNSSEC, > adding a NTA configuration for .gov would not be considered good > operational practice, unless .gov itself starts failing DNSSEC > validation.
That is a good point. Happily I think the draft already makes it hard for operators to do that, since an NTA will be automatically removed if its zone validates (section 10). Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Fisher, German Bight: West or northwest 6 to gale 8, backing southwest 5 to 7. Rough or very rough. Squally showers, rain later. Good, occasionally moderate. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
