In article <> you write:
>For example, has recently signed a bunch of domains with lame
>wildcard NS records under the zone apex.  This breaks denial of existence
>for all child domains, including TLSA lookups, and therefore breaks email
>delivery to the newly signed domains.

I think you will find that attempts to legislate against being stupid
do not generally turn out well.  It makes sense to check for mistakes
that might screw up the upper level name server like an invalid
algorithm number, but if they want to shoot themselves in the foot,
there's not much we can do about that.

There's no way to make a list of every possible stupid thing that
someone might do, so I wouldn't try.


DNSOP mailing list

Reply via email to