Mark,
On Aug 29, 2007, at 4:23 PM, Mark Andrews wrote:
If the root gets signed and you remove the DLV stuff, won't you break
any caching resolver that still has the DLV trust anchor configured?
No. Please re-read the quoted paragraph. The root's DLV
will be there.
Please re-read my question.
You only need DLV records where there is a missing link in the
trust chain. If you have "." you don't need a DLV for "se" as
there will be a DS for "se" in the root zone.
Perhaps surprisingly, I understand this.
My question, somewhat expanded, is:
If you configure a trust anchor for "the" DLV registry and at some
point in time in the future, that DLV registry ceases to function
_and you have not changed the trust anchor configuration_, won't
validation fail?
The point of this question:
If you start mucking about with production services that require
configuration on the part of system administrators (particularly in
the somewhat arcane world of DNSSEC trust anchors), it can become
quite difficult to stop that production service without breaking
stuff. Is this a place we want to go for a temporary hack?
Thanks,
-drc
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf