My feedback to a possible -01 version is to add something related to not consider NTAs for the upper hierarchy of a failed DNSSEC domain. For instance, even if I see a good number of .gov domains failed DNSSEC, adding a NTA configuration for .gov would not be considered good operational practice, unless .gov itself starts failing DNSSEC validation.
I know no RFC can determine what ops really end up doing, but not being allowed to claim that as a prescribed practice has some value. Rubens > On Dec 15, 2014, at 11:15 PM, internet-dra...@ietf.org wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations Working Group > of the IETF. > > Title : Definition and Use of DNSSEC Negative Trust Anchors > Authors : Paul Ebersman > Chris Griffiths > Warren Kumari > Jason Livingood > Ralf Weber > Filename : draft-ietf-dnsop-negative-trust-anchors-00.txt > Pages : 17 > Date : 2014-12-15 > > Abstract: > DNS Security Extensions (DNSSEC) is now entering widespread > deployment. However, domain signing tools and processes are not yet > as mature and reliable as those for non-DNSSEC-related domain > administration tools and processes. Negative Trust Anchors > (described in this document) can be used to mitigate DNSSEC > validation failures. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-negative-trust-anchors/ > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-dnsop-negative-trust-anchors-00 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop