Paul Wouters writes:
> On Wed, 11 Apr 2012, Shane Kerr wrote:
>
>> Disabling DNSSEC validation for broken domains seems completely
>> rational, at least for some types of brokenness.
>
> So someone will make a browser plugin to enable this. Let them.
In our validation work within firefox we deli
On Wed, 11 Apr 2012, Shane Kerr wrote:
Disabling DNSSEC validation for broken domains seems completely
rational, at least for some types of brokenness.
So someone will make a browser plugin to enable this. Let them.
Paul
___
DNSOP mailing list
DNSOP
> On Wed, 11 Apr 2012 13:40:23 +0200, Shane Kerr said:
SK> For example, I know someone who regularly forgets to re-sign his zones.
SK> Yes, he knows he should set BIND up to re-sign them automatically or
SK> perhaps use zkt, but that takes time and it's just his own vanity
SK> domain. Persona
Tony,
On Wednesday, 2012-04-11 15:20:50 +0100,
Tony Finch wrote:
> Shane Kerr wrote:
> >
> > For example, I know someone who regularly forgets to re-sign his
> > zones.
>
> That's just stupid. There are a lot of sensible words in Jason's draft
> to say that negative trust anchors should not be
Shane Kerr wrote:
>
> For example, I know someone who regularly forgets to re-sign his zones.
That's just stupid. There are a lot of sensible words in Jason's draft
to say that negative trust anchors should not be used as a long-term
workaround for some third party's persistent incompetence.
Ton
Chris,
On Wednesday, 2012-04-11 02:36:59 +,
"Griffiths, Chris" wrote:
>
> > Suggested rewrite:
> >
> > Furthermore, a Negative Trust Anchor MUST only be used for a
> > short duration, perhaps for a day or less. Implementations
> > MUST require an end-time configuration associ