In article <1d06889c-770f-4f92-bf06-a76338aeb...@dukhovni.org> you write: >For example, nazwa.pl has recently signed a bunch of domains with lame >wildcard NS records under the zone apex. This breaks denial of existence >for all child domains, including TLSA lookups, and therefore breaks email >delivery to the newly signed domains.
I think you will find that attempts to legislate against being stupid do not generally turn out well. It makes sense to check for mistakes that might screw up the upper level name server like an invalid algorithm number, but if they want to shoot themselves in the foot, there's not much we can do about that. There's no way to make a list of every possible stupid thing that someone might do, so I wouldn't try. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop