On Mon, Apr 16, 2012 at 08:32:59AM -0700, David Conrad wrote: > On Apr 16, 2012, at 4:52 AM, Scott Schmit wrote: > > Please explain how operators will prevent this, and why they can > > afford to remove a zone from the NTA list (while it is still > > failing) but couldn't afford to leave it off the list in the first > > place. > > I would assume operators will keep NTAs alive until the zone owner > fixes things. > > You appear to be assuming zone owners will leave brokenness in place.
Not an assumption--a reality. See Jason's recent posts for documentation. > > No, I'm talking about a targeted use of the controversial practice of > > returning spoofed results redirecting the user to another host. > > An interesting idea, albeit I'm actually unsure which is less > appealing architecturally speaking. For others against NTAs, is the > use of redirection as Scott suggests preferable? Believe me, I feel dirty even suggesting it. But its benefits could outweigh the ugliness of it, so I figured I'd offer it. Another approach would be to bless client-configured/non-automated NTAs for now...until there are enough resolvers validating. Then do a 'Turn Off All NTAs Forever Day.'" And hope that the world follows through & blessing NTAs doesn't backfire instead. -- Scott Schmit
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop