In message 201302062107.r16l7f9b066...@calcite.rhyolite.com, Vernon Schryver
All of that gets back to honesty being the best policy and letting other
people fix their own stuff in their own time.
And the more people that validate the bigger the peer presure will
be to fix dnssec problems
In message 201302070048.r170mosg004...@calcite.rhyolite.com, Vernon Schryver
writes:
My view is that if an outfit has so few other users that it doesn't
hear when things breaks and doesn't care enough to monitor, then it's
not worth my time to be a pest. By time I notice a problem with a
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's domain-insecure?
For example if a popular site ( say nasa.gov ) updates their keys
incorrectly so that their domain fails validation, you contact their
admins. and with a high level of confidence you determine
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 2013-02-05 at 17:01 -0800, Augie Schwer wrote:
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's domain-insecure?
I have not tested this, but if you use RPZ to block the DS record for
nasa.gov, that should turn
On Apr 30 2012, Warren Kumari wrote:
On Apr 26, 2012, at 2:51 PM, Jan-Piet Mens wrote:
[...]
From a Comcast talk at SATIN 2012 I believe they called that a negative
trust anchor, and IIRC, the author wanted to publish a draft of its
operation. Haven't seen it yet though, and it's probably off
On 30/4/12 13:56 , Chris Thompson wrote:
http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01
Being actively discussed on DNSOP list
It *was* being actively discussed there, up until about 10 days ago. Since
then the participants seem to have stopped, maybe from sheer
On Apr 26, 2012, at 2:51 PM, Jan-Piet Mens wrote:
Augie,
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's domain-insecure?
That is regrettably not possible at the moment, at least not in BIND
9.9.0.
The only (quite impracticable) workaround would be to define
Jan-Piet Mens jpmens@gmail.com wrote:
From a Comcast talk at SATIN 2012 I believe they called that a negative
trust anchor, and IIRC, the author wanted to publish a draft of its
operation.
http://tools.ietf.org/html/draft-livingood-negative-trust-anchors
There has been a lot of
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's domain-insecure?
For example if a popular site ( say nasa.gov ) updates their keys
incorrectly so that their domain fails validation, you contact their
admins. and with a high level of confidence you determine
Augie,
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's domain-insecure?
That is regrettably not possible at the moment, at least not in BIND
9.9.0.
The only (quite impracticable) workaround would be to define the zone
authoritatively yourself and populate it somehow
26, 2012 2:51 PM
Subject: Re: Exclude a domain from DNSSEC validation, like Unbound's
domain-insecure.
Augie,
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's domain-insecure?
That is regrettably not possible at the moment, at least not in BIND
9.9.0.
The only (quite
11 matches
Mail list logo
