[dns-operations] Implementation of negative trust anchors?

WBrown at e1b.org WBrown at e1b.org
Fri Aug 23 19:01:23 UTC 2013


From: Vernon Schryver <vjs at rhyolite.com>

> If you don't let them to use `rndc validation off X hours`, most will
> use `rndc nta gov` because their users will be shouting about 
governement
> web site problems and they won't have the time, inclination, or
> permission to discover that it's only the apod.nasa.gov.

Which is worse, turning off all validation for 24 hours or turning off 
validation for just .gov for 24 hours?

Ideally, it is best to turn off validation for as narrowly focused a zone 
as possible for as short a time as possible.  'rndc nta apod.nasa.gov X 
hours'

How long does it take to go to DNSVIS or the like to find where the break 
is?  Time and permission to discover are minimized.  Inclination cannot be 
controlled for, but those who know about 'rndc nta ___' will hopefully be 
aware of the tools to test before implementing.




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.



More information about the dns-operations mailing list