www.ncbi.nlm.nih.gov / pubmed
Lyle Giese
lyle at lcrcomputer.net
Thu Aug 19 12:56:33 UTC 2010
I agree with this idea. Sorta like when a browser is presented with an
invalid SSL cert by a website. It could be that you put in example.com
when the cert is for www.example.com or in the case of a self-signed
cert, as long as I am not giving them sensitive data, I, the user, can
accept or deny the invalid cert. And we have the choice(at least in
Firefox) to accept that invalid cert forever or just for the current
session with that site.
I agree that this would be a useful feature. Maybe an add-on 'zone' file
where we enumerate the broken domains we want to accept with an
expiration date, not to exceed x numbers of days. That way we don't add
a domain and mistype the expiration date or forget we created an
exception for it.
Lyle Giese
LCR Computer Services, Inc.
>
> I did, and I disagree that it misses the point.
>
> I wanted a *short term* workaround for that zone, while the site fixed
> their DNSSEC. I had satisfied myself that it was a DNSSEC signing
> mistake, and faced an unpalatable choice - disable validation globally
> for the duration of a single site repair period (sacrificing the
> benefits of DNSSEC) or lose connectivity to that site. Had the site
> been more "important" to us, it would have been no "choice" at all - I
> would have been instructed to disable validation.
>
> I think DNSSEC is very important, but I also think mistakes will
> happen, and that sites will want the ability to be forgiving for a
> grace period.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list