On Tue, Dec 16, 2014 at 10:47:33AM +0000, Tony Finch wrote: > That is a good point. Happily I think the draft already makes it hard for > operators to do that, since an NTA will be automatically removed if its > zone validates (section 10).
Thank you for pointing this out, Tony; I'd missed it when I read the draft, and it would have been embarrassing if I'd gone ahead and posted my planned comment to the effect that there ought to be text like this. :) I will revise my planned comments to say there ought to be MORE text like this. First, some clarification of of "attempt to validate the zone" is probably called for. A resolver can't validate the entire zone; it can only spot- check. BIND's method, for the record, is to send a periodic query for type SOA at the NTA node; if it gets a response that it can validate (whether the response was an actual SOA answer or a NOERROR/NODATA with appropriate NSEC/NSEC3 records, which would imply that the NTA was placed at a node which was not a zone cut [1]), the NTA is presumed no longer to be necessary and is removed. (Note that under some circumstances, this is undesirable behavior -- for example, if www.example.com had a bad signature, but example.com/SOA was fine -- so we also provide a "force" option to set an NTA which is *not* subject to this periodic spot-check.) Second, I would upgrade the recommendation from "optimally this is automatic" to at least a SHOULD, and maybe a MUST. Third, it's implied in section 8, but I would add to section 10 that NTAs MUST expire automatically when their configured lifetime ends, and that this lifetime MUST NOT exceed a week. My biggest fear with NTAs is that someone will configure one and then forget about it forever. There should be an expiry date associated with every NTA, and it should be enforced by code. One final comment: in appendix A.2, the "rndc nta" description is outdated and should now read: nta -dump List all negative trust anchors. nta [-lifetime duration] [-force] domain [view] Set a negative trust anchor, disabling DNSSEC validation for the given domain. Using -lifetime specifies the duration of the NTA, up to one week. The default is one hour. Using -force prevents the NTA from expiring before its full lifetime, even if the domain can validate sooner. nta -remove domain [view] Remove a negative trust anchor, re-enabling validation for the given domain. [1] ... which we presume to be legal, but maybe ought to be clarified in the draft. Trust anchors are always at a zone apex; negative trust anchors don't strictly need to be. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop