On Fri, May 30, 2014 at 02:11:45PM -0400, Paul Wouters wrote: > Note also that for this problem, there is already a commonly deployed > solution at the application level that addresses this situation, such > as https://www.nlnetlabs.nl/projects/dnssec-trigger/ which will inform > the user the network is severely broken or the user is under attack, > and gives the user the option to disable DNSSEC and go "insecure".
Also negative trust anchors, which seems to have stalled in the IETF (http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-06) but has been implemented in some validators (and will be in BIND in a future release). > I do not believe your stated problem is one that needs addressing. +1 -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop