[dns-operations] Implementation of negative trust anchors?
drc at virtualized.org
Fri Aug 23 14:39:06 UTC 2013
On Aug 22, 2013, at 5:06 PM, Paul Vixie <paul at redbarn.org> wrote:
> i just find it indescribable that a content owner who signs their zone as a means to protect themselves against corruption in their secondary servers, can have that tool taken out of their hands by a distant resolver operator who uses NTA to keep their own phone from ringing.
They already have that regardless of NTA. In BIND configuration language it's:
NTA simply gives the resolver operator the ability to limit the damage to a single zone instead of ALL zones.
> what i would like in local policies like nta or dlv which seek to be distributed and scalable is,
A local policy pretty much by definition is not supposed to be distributed and scalable.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the dns-operations