On 26/08/2013, at 13.18, Ralf Weber <[email protected]> wrote:
> So what would your advise be to the people running resolvers/validators? Currently validating resolvers suffer from an additional and different set of configuration mistakes from those that don't validate. Arguably if everyone validated then it wouldn't matter if foo.com failed because they fumbled the DS or failed to pay for renewal. At that stage, It's Their Problem, Not Yours because everyone on the resolver side experiences the same problem (give or take $ttl just like in insecure DNS). So get everyone else to validate so we're all in the same boat :) Humor aside, I agree better automated processes would help - although today no software helps you prevent mismatched parent and child delegations, for instance. But dnssec IS more complicated, and more automation (and policy enforcement - here I'm looking at opendnssec) will certainly help. In the meantime... ... Will NTAs delay adoption of validation or speed it up thanks to the warm fuzzy feeling? P _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
