DNSSEC
Warren Kumari
warren at kumari.net
Thu May 10 19:04:01 UTC 2012
On May 10, 2012, at 12:52 PM, WBrown at e1b.org wrote:
> Warren wrote on 05/10/2012 11:50:30 AM:
>
>> Nope -- Comcast does a large amount of checking before turning off
>> validation for a failing domain.
>> This is (IMO) more secure than the alternative, which is to simply
>> leave it failing, and have users move to a non-validatiing resolver
> instead?
>
> Does Comcast have a process to re-enable validation once the issue is
> resolved?
>
Yup.
They have an overview of the technique here: http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01
and there have been discussions on it on DNSOP, starting here: http://www.ietf.org/mail-archive/web/dnsop/current/msg09489.html
and then continuing on, basically forever…
This doesn't really talk to their policies in depth, but they do have reasnable (and sane) policies…
W
>
>
> Confidentiality Notice:
> This electronic message and any attachments may contain confidential or
> privileged information, and is intended only for the individual or entity
> identified above as the addressee. If you are not the addressee (or the
> employee or agent responsible to deliver it to the addressee), or if this
> message has been addressed to you in error, you are hereby notified that
> you may not copy, forward, disclose or use any part of this message or any
> attachments. Please notify the sender immediately by return e-mail or
> telephone and delete this message from your system.
>
More information about the bind-users
mailing list