DNSSEC
Mark Andrews
marka at isc.org
Thu May 10 23:42:34 UTC 2012
In message <532C3631-D503-4DC0-88C9-600A905648DB at kumari.net>, Warren Kumari wri
tes:
>
> On May 10, 2012, at 12:52 PM, WBrown at e1b.org wrote:
>
> > Warren wrote on 05/10/2012 11:50:30 AM:
> > =
>
> >> Nope -- Comcast does a large amount of checking before turning off =
>
> >> validation for a failing domain. =
>
> >> This is (IMO) more secure than the alternative, which is to simply =
>
> >> leave it failing, and have users move to a non-validatiing resolver =
>
> > instead?
> > =
>
> > Does Comcast have a process to re-enable validation once the issue is =
>
> > resolved?
> > =
>
>
> Yup.
>
> They have an overview of the technique here: http://tools.ietf.org/html/dra=
> ft-livingood-negative-trust-anchors-01
> and there have been discussions on it on DNSOP, starting here: http://www.i=
> etf.org/mail-archive/web/dnsop/current/msg09489.html
> and then continuing on, basically forever=85
>
> This doesn't really talk to their policies in depth, but they do have reasn=
> able (and sane) policies=85
>
>
> W
It's also not a proceedure that will scale. It also impacted on
any down stream validators.
Note doing this will mark any data as insecure so as long as the
application is paying attention to the security status of the data
returned, and it should be if it is depending apon it, there should
be no issues other than what would occur if a trust anchor was
removed.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list