On Mon, Dec 15, 2014 at 9:17 PM, Rubens Kuhl <[email protected]> wrote: > > My feedback to a possible -01 version is to add something related to not > consider NTAs for the upper hierarchy of a failed DNSSEC domain. For > instance, even if I see a good number of .gov domains failed DNSSEC, adding a > NTA configuration for .gov would not be considered good operational practice, > unless .gov itself starts failing DNSSEC validation. > > I know no RFC can determine what ops really end up doing, but not being > allowed to claim that as a prescribed practice has some value.
We had tried to capture that with: "It does not and should not involve turning off validation more broadly." and "Finally, a Negative Trust Anchor SHOULD be used only in a specific domain or sub-domain and MUST NOT affect validation of other names up the authentication chain. " I thought that we also had some text that said that the NTA should cover the minimum necessary to fix the issue, but I cannot find that text at the moment - we may have removed it because it was very klunky. Anyway, do the above bits cover what you wanted, or do you think we need to be more explicit? W > > > Rubens > >> On Dec 15, 2014, at 11:15 PM, [email protected] wrote: >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the Domain Name System Operations Working Group >> of the IETF. >> >> Title : Definition and Use of DNSSEC Negative Trust Anchors >> Authors : Paul Ebersman >> Chris Griffiths >> Warren Kumari >> Jason Livingood >> Ralf Weber >> Filename : draft-ietf-dnsop-negative-trust-anchors-00.txt >> Pages : 17 >> Date : 2014-12-15 >> >> Abstract: >> DNS Security Extensions (DNSSEC) is now entering widespread >> deployment. However, domain signing tools and processes are not yet >> as mature and reliable as those for non-DNSSEC-related domain >> administration tools and processes. Negative Trust Anchors >> (described in this document) can be used to mitigate DNSSEC >> validation failures. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-dnsop-negative-trust-anchors/ >> >> There's also a htmlized version available at: >> http://tools.ietf.org/html/draft-ietf-dnsop-negative-trust-anchors-00 >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> _______________________________________________ >> DNSOP mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
