On 11 Apr 2012, at 15:48, Shane Kerr wrote:
Disabling DNSSEC validation for broken domains seems completely
rational, at least for some types of brokenness.
+1
The problem here is this becomes a local policy/configuration matter
and the experience you outlined still occurs Shane. Sometimes things
will work (for some definition of work) even if DNSSEC validation
fails, sometimes they won't. I don't see any easy answers. It would be
nice if browsers (say) popped up a dialogue box which said "I'm not
sure about this IP address, do you feel lucky?" when a validation
failed so the end user could decide how to proceed. But this would be
unpopular and almost certainly get ignored or switched off. And of
course it does nothing for all the other application software that
might like to know if they're handling validated DNS data or not.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
