[dns-operations] Implementation of negative trust anchors?
WBrown at e1b.org
WBrown at e1b.org
Fri Aug 23 19:01:23 UTC 2013
From: Vernon Schryver <vjs at rhyolite.com>
> If you don't let them to use `rndc validation off X hours`, most will
> use `rndc nta gov` because their users will be shouting about
governement
> web site problems and they won't have the time, inclination, or
> permission to discover that it's only the apod.nasa.gov.
Which is worse, turning off all validation for 24 hours or turning off
validation for just .gov for 24 hours?
Ideally, it is best to turn off validation for as narrowly focused a zone
as possible for as short a time as possible. 'rndc nta apod.nasa.gov X
hours'
How long does it take to go to DNSVIS or the like to find where the break
is? Time and permission to discover are minimized. Inclination cannot be
controlled for, but those who know about 'rndc nta ___' will hopefully be
aware of the tools to test before implementing.
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
More information about the dns-operations
mailing list