[dns-operations] Implementation of negative trust anchors?
WBrown at e1b.org
WBrown at e1b.org
Tue Aug 27 14:06:32 UTC 2013
From: Antoin Verschuren <antoin.verschuren at sidn.nl>
> A truly DNSSEC aware authoritative server should not publish a zone,
> not even the unsigned records, when validation fails for that zone.
> That way, if a DNSSEC signed zone is DNSSEC broken, it's also broken
> for a non-validating resolver, there is no competition issue, and the
> zone publisher should fix his zone to get it working at all.
Interesting idea! It would certainly get the attention of the zone admin
in a hurry!
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
More information about the dns-operations
mailing list