On 25 Jun 2015, at 9:22, Anand Buddhdev wrote:
On 25/06/15 13:27, Phil Regnauld wrote:
But have you registered a domain under .KE ?
I don't have any personal domains in .KE at the moment, but I was born
and raised in Kenya, and still have family and friends there. They
have
.KE domains. My inability to communicate with them, and their
inability
to communicate with me, using .KE domains, makes this issue rather
important to me.
I think having withdrawn the DS RRSet from the root zone, the best way
to ensure minimal disruption to end users such as yourself is to be
conservative about putting it back in. That seems to me to describe
exactly what KENIC are doing.
Perhaps this is a good opportunity to steer people's attention towards
this document:
http://datatracker.ietf.org/doc/draft-ietf-dnsop-negative-trust-anchors/
While a severed link in the chain of trust exists that is known to be
non-malicious (so, not now with KE, but earlier while they were having
problems that caused validation failures) the ability to provide the
kind of continuity of service that you're concerned about shifts from
the operators of the authority servers to the operators of validators.
Since ignoring validation failures is not something we want anybody to
do badly, I think the document referenced above is useful. I'm sure the
dnsop working group (and the authors) would welcome additional review
and in particular feedback from end-users.
Joe
