On Apr 16, 2012, at 1:52 PM, Livingood, Jason wrote: > On 4/11/12 10:16 AM, "Tony Finch" <d...@dotat.at> wrote: > >> Griffiths, Chris <chris_griffi...@cable.comcast.com> wrote: >>> On Apr 10, 2012, at 8:11 PM, Wes Hardaker wrote: >>> >>>> Suggested rewrite: >>>> >>>> Furthermore, a Negative Trust Anchor MUST only be used for a >>>> short duration, perhaps for a day or less. >>> >>> Agreed. Maximum time supported makes sense to me. >> >> This only makes sense if the negative trust anchor is for a third party >> domain. There are situations where it makes sense to use negative trust >> anchors covering your own domains, and these might be necessary for a >> long period of time (because that would require a difficult upgrade or >> extensive renaming). There are more use cases than just the NASA screwup >> scenario. > > True. We had an issue with one of our own domains that has persisted > longer. So I think this argues agains an maximum duration for all NTAs, > and simply some TTL that the DNS admin can set (which could vary by > domain). The other alternative is to leave this question completely to > implementers, where some will set a max duration for all NTAs, others will > choose a TTL that varies by domain, and others still may not specify any > times (in force until removed).
I think leaving flexibility to support different use cases makes sense, since there are definitely going to be different reasons for keeping an NTA in place for short as well as longer term reason. Perhaps we can define these additional use cases like short term, longer term, and indefinite until removed. Chris _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
