Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > > I'm not enthousiastic. We should focus on making the DNS infrastructure > more reliable, not on adding something to a pile of already fragile > protocols.
I like this draft because it should help if we lose off-campus connectivity. We've had a few incidents in recent years such as flooded comms rooms and DDoS attacks on our providers. Those problems have been addressed at the network layer, but if we have another outage for whatever reason I would like our recursive servers to be able to handle it more gracefully. We have set things up so it should be possible to resolve on-site names in our own domains when there is an outage - but not if the client does DNSSEC validation. It isn't possible to distribute trust anchors to BYOD clients with validating stubs, so the only way to keep going through an outage is to retain the DS/DNSKEY chain in the cache. It's also mildly annoying that loss of connectivity often looks like a DNS problem, since client software never gets as far as trying to connect off site. I would selfishly prefer it if our users would blame the network rather than the DNS :-) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Shannon: Northwest 5 to 7, occasionally gale 8 later. Rough or very rough. Showers. Good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop