In message <barmar-151ba5.20443611032...@news.eternal-september.org>, Barry Mar golin writes: > In article <mailman.792.1268343500.21153.bind-us...@lists.isc.org>, > Mark Andrews <ma...@isc.org> wrote: > > > No. It's I've tried real hard to get you a answer which is not a > > forgery but I can't. > > Not really. It's "I've tried real hard to get you an answer that I can > *tell* is not a forgery, but I can't." When validation fails, which is > really more likely, that it's a forgery or that the DNS administrator > screwed up? > > When website admins mess up certificates, the browser alerts the user > and gives them the option of ignoring the error. DNSSEC validation > doesn't have the same kind of continuation option.
And that this just plain bad security practices. If the wrong CERT is presented then the client should just fail. Even when you report the error to the administrator of the site they just ignore it because they know you can work around it. Even Verisign does this this sort of thing. If you don't give a work around then operators will fix the issue. > -- > Barry Margolin, bar...@alum.mit.edu > Arlington, MA > *** PLEASE don't copy me on replies, I'll read them in the group *** > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
