[dns-operations] Implementation of negative trust anchors?
Carlos M. Martinez
carlosm3011 at gmail.com
Tue Aug 27 16:06:20 UTC 2013
Hello,
On Aug 27, 2013, at 12:56 PM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
>
> ...but not all of them.
No feature / idea will ever catch all of them.
This should not let us from implementing some of the good ideas that are going around. In fact, when I read 'an authoritative nameserver SHOULD NOT publish an invalid zone _ever_', well, I was struck by how obvious this is, and a bit ashamed at how I had never thought about it. This is something that should have always been in place.
Same for [A|I]XFR. Slaves MUST refuse transferring invalid zones ! In that way they might keep an outdated but still validly signed zone.
And, if there is a corner case where this should be allowed, well, that's what configuration options are for.
We must build resiliency layer by layer.
cheers!
~Carlos
>
> --Paul Hoffman
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list