Paul,
On Tuesday, 2012-04-10 10:37:21 -0400,
Paul Wouters wrote:
> On Tue, 10 Apr 2012, Shane Kerr wrote:
> > The approach I had planned on taking is simply to require that an
> > administrator specify the ending time of the Negative Trust Anchor.
> > If they want to, of course they can put 30 ye
Chris,
On Wednesday, 2012-04-11 02:36:59 +,
"Griffiths, Chris" wrote:
>
> > Suggested rewrite:
> >
> > Furthermore, a Negative Trust Anchor MUST only be used for a
> > short duration, perhaps for a day or less. Implementations
> > MUST require an end-time configuration associ
Moin!
On 11.04.2012, at 02:11, Wes Hardaker wrote:
> 1) In addition to the following statement:
>
> Furthermore, a Negative Trust Anchor should
> be used only for a short duration, perhaps for a day or less.
>
> I'd go ahead and insert MUST/SHOULD/MAY language as well (realizing
>
Folks,
The key-timing I-D has been discussed over a long time, but has
not been refreshed for a significant while. I think we should
make progress with this memo now (in line with the rfc4641bis I-D),
and have performed a review of the most recent WG draft version,
draft-ietf-dnsop-dnssec-key
On Apr 11, 2012, at 6:02 AM, Ralf Weber wrote:
>> Suggested rewrite:
>>
>> Furthermore, a Negative Trust Anchor MUST only be used for a
>> short duration, perhaps for a day or less. Implementations MUST
>> require an end-time configuration associated with any negative
>> tru
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
On 04/05/2012 12:41 AM, Alfred � wrote:
> After a long delay, I have revisited the
> "DNSSEC Operational Practices, Version 2" I-D and performed
> a full review from scratch for the most recent draft version,
> draft-ietf-dnsop-rfc4641bis-10.
A v
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/05/2012 12:48 AM, Alfred � wrote:
> Here we go with part (B); if deemed necessary, please consider
> to provide feedback for the items below on the list.
Again, all items that are adopted without feedback necessary have been
omitted from this re
Griffiths, Chris wrote:
> On Apr 10, 2012, at 8:11 PM, Wes Hardaker wrote:
>
> > Suggested rewrite:
> >
> > Furthermore, a Negative Trust Anchor MUST only be used for a
> > short duration, perhaps for a day or less.
>
> Agreed. Maximum time supported makes sense to me.
This only ma
Shane Kerr wrote:
>
> For example, I know someone who regularly forgets to re-sign his zones.
That's just stupid. There are a lot of sensible words in Jason's draft
to say that negative trust anchors should not be used as a long-term
workaround for some third party's persistent incompetence.
Ton
Nicholas,
On Wednesday, 2012-04-11 06:28:49 -0700,
Nicholas Weaver wrote:
> b) Actually, I think it should also be auto removed once the
> condition is fixed: Continue to attempt to validate the zone in
> question. When the zone validates again, the default behavior should
> be to automaticall
Tony,
On Wednesday, 2012-04-11 15:20:50 +0100,
Tony Finch wrote:
> Shane Kerr wrote:
> >
> > For example, I know someone who regularly forgets to re-sign his
> > zones.
>
> That's just stupid. There are a lot of sensible words in Jason's draft
> to say that negative trust anchors should not be
On 11 Apr 2012, at 15:48, Shane Kerr wrote:
Disabling DNSSEC validation for broken domains seems completely
rational, at least for some types of brokenness.
+1
The problem here is this becomes a local policy/configuration matter
and the experience you outlined still occurs Shane. Sometimes
Jim Reid wrote:
> On 11 Apr 2012, at 15:48, Shane Kerr wrote:
>
> > Disabling DNSSEC validation for broken domains seems completely
> > rational, at least for some types of brokenness.
>
> +1
I agree, and this is what the draft says. I suppose this sub-argument is
over where to draw the line, whi
> On Wed, 11 Apr 2012 06:28:49 -0700, Nicholas Weaver
> said:
NW> a) If end-time is specified as a date, not an interval, you can set
NW> the date to be 'end of epoch', so you can basically have it 'stay
NW> forever', even if thats not advised
That's why I suggested the upper limit, and
> On Wed, 11 Apr 2012 13:40:23 +0200, Shane Kerr said:
SK> For example, I know someone who regularly forgets to re-sign his zones.
SK> Yes, he knows he should set BIND up to re-sign them automatically or
SK> perhaps use zkt, but that takes time and it's just his own vanity
SK> domain. Persona
On Apr 4, 2012, at 8:41 AM, Joe Abley wrote:
>
> On 2012-04-04, at 08:20, William F. Maton Sotomayor wrote:
>
>> It seems that after delivering my presentation on subsequent AS112
>> delegations in Quebec City, I hadn't recalled what the group thought about
>> adopting this work as a dns
On 2012-04-11, at 12:09, Wes Hardaker wrote:
>> On Wed, 11 Apr 2012 06:28:49 -0700, Nicholas Weaver
>> said:
>
> NW> a) If end-time is specified as a date, not an interval, you can set
> NW> the date to be 'end of epoch', so you can basically have it 'stay
> NW> forever', even if thats
Joe
on 2012-04-11 17:56 Joe Abley said the following:
[...]
> ; example.com's DNSSEC is broken, let's not use it for a day
> example.com NTA 20120412162716 20120411162716 "ticket [HOPCOUNT-12345]
> jab...@hopcount.ca"
> example.com RRSIG ...
[...]
just a tiny nit to pick, would not the '@' in 'j
Dr Lisse,
On 2012-04-11, at 13:45, Dr Eberhard Lisse wrote:
> on 2012-04-11 17:56 Joe Abley said the following:
> [...]
>> ; example.com's DNSSEC is broken, let's not use it for a day
>> example.com NTA 20120412162716 20120411162716 "ticket [HOPCOUNT-12345]
>> jab...@hopcount.ca"
>> example.com
On Wed, 11 Apr 2012, Shane Kerr wrote:
Disabling DNSSEC validation for broken domains seems completely
rational, at least for some types of brokenness.
So someone will make a browser plugin to enable this. Let them.
Paul
___
DNSOP mailing list
DNSOP
Matthijs,
thanks for dealing with my comments so expeditiously.
(This extends to the other review comments as well.)
Please see a few follow-up remarks inline below.
On 11 Apr 2012 15:47:33 +0200, Matthijs Mekking wrote:
> Hi,
>
> On 04/05/2012 12:41 AM, Alfred Hönes wrote:
>> After a long dela
Matthijs,
again thanks for your quick and detailed response and action.
A few selected follow-up remark can be found inline below.
On 11 Apr 2012 15:48:26 +0200, Matthijs Mekking wrote:
> On 04/05/2012 12:48 AM, Alfred Hönes wrote:
>> Here we go with part (B); if deemed necessary, please conside
+1.
I think a cleaner, simpler coordination framework for how to get things added
AND REMOVED from AS112 makes a lot of sense.
I say removed, because at least some discussion has revolved around people
wanting domains on there that others believe they have future use of. So
de-delegation from
On 11 April 2012 14:48, Matthijs Mekking wrote:
>
>
> On 04/05/2012 12:48 AM, Alfred � wrote:
> >
> > | o "Signature validity period" The time interval during which a
> > | signature is valid. It starts at the (absolute) time specified in
> > | the signature inception field of the RRSI
24 matches
Mail list logo