> Em 16/12/2014, à(s) 15:54:000, Warren Kumari <[email protected]> escreveu: > > On Mon, Dec 15, 2014 at 9:17 PM, Rubens Kuhl <[email protected]> wrote: >> >> My feedback to a possible -01 version is to add something related to not >> consider NTAs for the upper hierarchy of a failed DNSSEC domain. For >> instance, even if I see a good number of .gov domains failed DNSSEC, adding >> a NTA configuration for .gov would not be considered good operational >> practice, unless .gov itself starts failing DNSSEC validation. >> >> I know no RFC can determine what ops really end up doing, but not being >> allowed to claim that as a prescribed practice has some value. > > > We had tried to capture that with: > "It does not and should not involve turning off validation more broadly." > and > "Finally, a Negative Trust Anchor SHOULD be used only in a specific > domain or sub-domain and MUST NOT affect validation of other names up > the authentication chain. " > > I thought that we also had some text that said that the NTA should > cover the minimum necessary to fix the issue, but I cannot find that > text at the moment - we may have removed it because it was very > klunky. Anyway, do the above bits cover what you wanted, or do you > think we need to be more explicit?
I think we need to be more explicit. Not from a formal perspective, which is truly addressed, but as a mean to say "don't use this RFC to justify adding .gov to NTA. Do that on your own and live with it.". Rubens _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
