On Sat, May 09, 2015 at 03:08:11PM +0200, Warren Kumari wrote: > "It is RECOMMENDED that implementations warn operators (or treat as an > error) if they attempt to add an NTA for a domain that has a > configured positive trust anchor."
You still need to say what happens if the implementation decides to warn instead of treat it as an error. Actually, weirdly enough, after I implemented NTA's in BIND, one of the very first applications somebody came up with for them was to temporarily disable DNSSEC validation by setting an NTA for ".". This was seen as better than "rndc validation off" because he didn't have to send "rndc validation on" afterward; it would just quiety switch itself back on after a minute. It's... actually a pretty clever hack, and I don't really want to disable it. May I suggest: "An NTA placed at a node where there is a configured positive trust anchor takes precendence over that trust anchor, effectively disabling it. Implementations MAY issue a warning when this occurs." -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop