On Wed, Nov 15, 2017 at 1:38 AM, Warren Kumari <war...@kumari.net> wrote:
> On Wed, Nov 15, 2017 at 9:45 AM, Joe Abley <jab...@hopcount.ca> wrote: > > Hi Bob, > > > > On Nov 15, 2017, at 00:23, Bob Harold <rharo...@umich.edu> wrote: > > > > If I have to add those entries to each zone, I worry that the automated > DNS > > appliance that I use might not be able to create the broken records > > required. > > > > Since the implementation of the mechanism requires special handling of > > queries whose QNAMEs contain the special labels, I don't see why you > would > > ever need to add anything to any zone. > > > > The point of this mechanism is to require no administrator action and to > be > > on by default, I think. > > Yup, *you* should not need to create these records, as long as someone > does the testing will work -- e.g if example.com publishes: > _is-ta-4f66.example.com > _not-ta-4f66.example.com > badlysigned.example.com > > and you can resolve things in example.com you can do the testing. If > your appliance has not been upgraded to know about this new technique > the result will correctly be "unknown / indeterminate" (Vleg[0]) > > W > > [0]: Vleg: A DNSSEC-Validating resolver that does not include this > mechanism will respond with an A record response for "_is-ta", an > A record response for "_not-ta" and SERVFAIL for the invalid name. > > > > > > > > Joe > So for resolvers that can reach the public internet, only one publicly available authoritative server needs to have these special records in one zone? Could that be made clearer in the draft? -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
