[dns-operations] Implementation of negative trust anchors?

Paul Vixie paul at redbarn.org
Thu Aug 22 20:51:25 UTC 2013



Keith Mitchell wrote:
>>> From: Doug Barton <dougb at dougbarton.us>
>>> As stated before, the problem is that after the "early adopter" period 
>>> is over we'll be stuck with NTAs forever. This is one of those 
>>> fundamental disagreements between those who believe that DNS should 
>>> always be forgiving of operator error, and those of us who do not.
>
> So, for DNSSEC deployment transition work-arounds:
> - ISC's DLV is the white list
> - NTAs are the black list
>
> and both need a best-before date ?

dlv was best before the root was signed, so it's years overdue for killing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130822/6d222b6a/attachment.html>


More information about the dns-operations mailing list