[dns-operations] Implementation of negative trust anchors?
David Conrad
drc at virtualized.org
Fri Aug 23 14:39:06 UTC 2013
On Aug 22, 2013, at 5:06 PM, Paul Vixie <paul at redbarn.org> wrote:
> i just find it indescribable that a content owner who signs their zone as a means to protect themselves against corruption in their secondary servers, can have that tool taken out of their hands by a distant resolver operator who uses NTA to keep their own phone from ringing.
They already have that regardless of NTA. In BIND configuration language it's:
dnssec-validation no;
NTA simply gives the resolver operator the ability to limit the damage to a single zone instead of ALL zones.
> what i would like in local policies like nta or dlv which seek to be distributed and scalable is,
A local policy pretty much by definition is not supposed to be distributed and scalable.
Regards,
-drc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130823/2c9a7a01/attachment.sig>
More information about the dns-operations
mailing list