> NTAs are installed by resolvers, not authoritative servers. It > sounds like this proposal is for a universal NTA; this WG soundly > rejected that idea when it (barely) agreed to describing NTAs at > all.
They need to be installed by validators. A validator doesn't have to be a resolver. Currently the draft says: "Such domains will not resolve in the global DNS, but can be configured within closed networks as the network operator sees fit." I think that rules out a delegation from the root. Assuming no delegation from the root, then absent a negative trust anchor DNSSEC validation will break. Is this case where purity in the IETF (no global negative trust anchor) will win from practical deployment of DNSSEC? _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
