At Tue, 12 May 2015 11:44:28 +0200,
Warren Kumari war...@kumari.net wrote:
In BIND, NTA's are set by an rndc command, but in other implementations
they might be set up in a config file. If you have both a TA and an NTA
for the same node in the same configuration, that would be sensible to
On Mon, May 11, 2015 at 7:26 PM, Evan Hunt e...@isc.org wrote:
On Mon, May 11, 2015 at 12:19:19PM -0400, Bob Harold wrote:
I am not even sure there is a good reason for a warning.
In BIND, NTA's are set by an rndc command, but in other implementations
they might be set up in a config file. If
Moin!
On 11 May 2015, at 19:20, Evan Hunt wrote:
Does this mean:
A: All implementations that conform to this document should prefer the
NTA over the positive anchor in such a case, or
B: This is implementation-dependent, but if an implementation allows
the coexistence of positive and
On Tue, May 12, 2015 at 11:44:28AM +0200, Warren Kumari wrote:
An NTA placed at a node where there is a configured positive trust
anchor MUST take precendence over that trust anchor, effectively
disabling it. Implementations SHOULD issue a warning or informational
message when this occurs, so
On Tue, May 12, 2015 at 5:00 PM, Evan Hunt e...@isc.org wrote:
On Tue, May 12, 2015 at 11:44:28AM +0200, Warren Kumari wrote:
An NTA placed at a node where there is a configured positive trust
anchor MUST take precendence over that trust anchor, effectively
disabling it. Implementations SHOULD
Does this mean:
A: All implementations that conform to this document should prefer the
NTA over the positive anchor in such a case, or
B: This is implementation-dependent, but if an implementation allows
the coexistence of positive and negative anchors, it should prefer
the NTA,
At Sat, 9 May 2015 15:08:11 +0200,
Warren Kumari war...@kumari.net wrote:
1. In my very original comment on this matter:
www.ietf.org/mail-archive/web/dnsop/current/msg12614.html
I noted one other corner case, which we might also want to clarify:
On a related note, there are
On Mon, May 11, 2015 at 12:10 PM, 神明達哉 jin...@wide.ad.jp wrote:
At Sat, 9 May 2015 18:50:28 +,
Evan Hunt e...@isc.org wrote:
Actually, weirdly enough, after I implemented NTA's in BIND, one of the
very first applications somebody came up with for them was to temporarily
disable
On Mon, May 11, 2015 at 12:19:19PM -0400, Bob Harold wrote:
I am not even sure there is a good reason for a warning.
In BIND, NTA's are set by an rndc command, but in other implementations
they might be set up in a config file. If you have both a TA and an NTA
for the same node in the same
At Sat, 9 May 2015 18:50:28 +,
Evan Hunt e...@isc.org wrote:
Actually, weirdly enough, after I implemented NTA's in BIND, one of the
very first applications somebody came up with for them was to temporarily
disable DNSSEC validation by setting an NTA for .. This was seen as
better than
On Sat, May 9, 2015 at 8:50 PM, Evan Hunt e...@isc.org wrote:
On Sat, May 09, 2015 at 03:08:11PM +0200, Warren Kumari wrote:
It is RECOMMENDED that implementations warn operators (or treat as an
error) if they attempt to add an NTA for a domain that has a
configured positive trust anchor.
On Sat, May 9, 2015 at 4:33 PM, Paul Hoffman paul.hoff...@vpnc.org wrote:
On May 9, 2015, at 6:07 AM, Warren Kumari war...@kumari.net wrote:
In Section 2, there should be a new paragraph after the first paragraph
that describes why the reasonable attempt in the first paragraph is
needed to
[ Top post ]
Integrating these -- 'parently I'm processing emails out of order...
Thank you for your comments, I've integrated them and will post a new
version soon (planning on incorporating some of Jinmei's comments
before posting).
On Tue, May 5, 2015 at 5:53 PM, Paul Hoffman
On Wed, May 6, 2015 at 5:08 PM, Dan York y...@isoc.org wrote:
Warren and Tim,
I support the publishing of this document subject to incorporating the
various comments I’ve seen here on that list. I had a couple of specific
points but they seem to have been covered by others, so…
On May 6,
On Wed, May 6, 2015 at 3:33 PM, Rose, Scott W. scott.r...@nist.gov wrote:
I think the draft is just about ready for publication as well.
On May 5, 2015, at 5:53 PM, Paul Hoffman paul.hoff...@vpnc.org wrote:
This document has progressed very well and is nearly ready for publication.
Related
On May 9, 2015, at 6:08 AM, Warren Kumari war...@kumari.net wrote:
Two more related points:
1. In my very original comment on this matter:
www.ietf.org/mail-archive/web/dnsop/current/msg12614.html
I noted one other corner case, which we might also want to clarify:
On a related note,
On Wed, May 6, 2015 at 6:51 PM, 神明達哉 jin...@wide.ad.jp wrote:
At Tue, 5 May 2015 17:06:04 -0400,
Warren Kumari war...@kumari.net wrote:
... and now I'm replying to the rest of the comments.
Thanks, I've confirmed that my major and minor points are addressed in
the 05 version. So I'm now
On Sat, May 09, 2015 at 03:08:11PM +0200, Warren Kumari wrote:
It is RECOMMENDED that implementations warn operators (or treat as an
error) if they attempt to add an NTA for a domain that has a
configured positive trust anchor.
You still need to say what happens if the implementation decides
during
WGLC, so that everyone can see the most recent state, and not comment on
older comments, etc)
W
On Monday, April 27, 2015, Tim Wicinski tjw.i...@gmail.com wrote:
Greetings,
This starts a Working Group Last Call for Adoption for
draft-ietf-dnsop-negative-trust-anchors
Current versions
I think the draft is just about ready for publication as well.
On May 5, 2015, at 5:53 PM, Paul Hoffman paul.hoff...@vpnc.org wrote:
This document has progressed very well and is nearly ready for publication.
Related to an earlier thread about intended status: Informational is most
At Tue, 5 May 2015 17:06:04 -0400,
Warren Kumari war...@kumari.net wrote:
... and now I'm replying to the rest of the comments.
Thanks, I've confirmed that my major and minor points are addressed in
the 05 version. So I'm now basically fine with shipping it.
Some non-blocking comments
[ Top post]
Only replying to the biggest issue here, will reply to the rest later today.
On Mon, May 4, 2015 at 2:25 PM, 神明達哉 jin...@wide.ad.jp wrote:
At Mon, 27 Apr 2015 18:58:10 -0400,
Tim Wicinski tjw.i...@gmail.com wrote:
This starts a Working Group Last Call for Adoption for
draft-ietf
On Tue, May 05, 2015 at 12:24:13PM -0400, Warren Kumari wrote:
The way that our resolver works is that the closest TA would win, and
so a positive TA under a negative trust anchor *would* be used. To me
this seems to be the obviously right thing to do, and so, unless
anyone objects, I'll add
for the careful review, catching this corner
case, and providing helpful text...
More comments inline.
On Mon, May 4, 2015 at 2:25 PM, 神明達哉 jin...@wide.ad.jp wrote:
At Mon, 27 Apr 2015 18:58:10 -0400,
Tim Wicinski tjw.i...@gmail.com wrote:
This starts a Working Group Last Call for Adoption for
draft
This document has progressed very well and is nearly ready for publication.
Related to an earlier thread about intended status: Informational is most
appropriate here because the document is all about proposed operations but no
best current practice. There is no problem with WGs producing
At Mon, 27 Apr 2015 18:58:10 -0400,
Tim Wicinski tjw.i...@gmail.com wrote:
This starts a Working Group Last Call for Adoption for
draft-ietf-dnsop-negative-trust-anchors
(I guess this is for Publication, not for Adoption).
Also, have we decided to publish it as an Informational document? I'm
Greetings,
This starts a Working Group Last Call for Adoption for
draft-ietf-dnsop-negative-trust-anchors
Current versions of the draft is available here:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-negative-trust-anchors/
https://tools.ietf.org/html/draft-ietf-dnsop-negative-trust
27 matches
Mail list logo