pounsett> Negative Trust Anchors, most probably. paul> i hope not. because if true, there's no backpressure on sloppy paul> operations. are we really introducing a new animal to this paul> ecosystem that has no predators trying to kill or eat it?
NTAs in production use aren't even vaguely new. They've been in wide use for 8-10 years that I'm aware of. They are part of why folks like google, cloudflare, comcast et al are willing to do DNSSEC validation in production. Doing it automatically is bad, as per RFC 7646, but it is a valid response if it's a large site and mistake rather than malicious. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
