[dns-operations] Implementation of negative trust anchors?

Carlos M. Martinez carlosm3011 at gmail.com
Tue Aug 27 16:06:20 UTC 2013


On Aug 27, 2013, at 12:56 PM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:

> ...but not all of them.
No feature / idea will ever catch all of them. 

This should not let us from implementing some of the good ideas that are going around. In fact, when I read 'an authoritative nameserver SHOULD NOT publish an invalid zone _ever_', well, I was struck by how obvious this is, and a bit ashamed at how I had never thought about it. This is something that should have always been in place.

Same for [A|I]XFR. Slaves MUST refuse transferring invalid zones ! In that way they might keep an outdated but still validly signed zone.

And, if there is a corner case where this should be allowed, well, that's what configuration options are for. 

We must build resiliency layer by layer.



> --Paul Hoffman
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list