On Mar 27, 2012, at 12:04 PM, Tony Finch wrote: > Antoin Verschuren <antoin.verschu...@sidn.nl> wrote: > >> I read the draft, and I seem to be missing a part where a domain is >> intentionally insecure. Such a situation might occur f.e. in tools >> investigating if DNSSEC is working properly from an end user >> perspective. I can also imagine there are other situations where DNSSEC >> validation is broken on purpose. So somewhere in section 7 it should >> state not to use negative trust anchors for domains that are >> intentionally insecure, though I wonder how this could be signalled (in >> a secure way). > > Do you mean insecure (no DS) or bogus (broken RRSIGs)?
I have created such a domains for exactly these purposes. This one is no longer signed (I think) but has a DS in its parent zone: trasigdnssec.se _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop