Rubens Kuhl <rube...@nic.br> wrote: > > My feedback to a possible -01 version is to add something related to not > consider NTAs for the upper hierarchy of a failed DNSSEC domain. For > instance, even if I see a good number of .gov domains failed DNSSEC, > adding a NTA configuration for .gov would not be considered good > operational practice, unless .gov itself starts failing DNSSEC > validation.
That is a good point. Happily I think the draft already makes it hard for operators to do that, since an NTA will be automatically removed if its zone validates (section 10). Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Fisher, German Bight: West or northwest 6 to gale 8, backing southwest 5 to 7. Rough or very rough. Squally showers, rain later. Good, occasionally moderate. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop