On Tue, 2011-07-26 at 20:37 -0400, Matt McCutchen wrote: > I'm seeing this now using nss-dane > ( https://mattmccutchen.net/cryptid/#nss-dane ) for my personal > browsing: so far I've poked seven exceptions for broken DNS servers,
I should clarify: these seven are all insecure zones, so if I made the client check whether the zone is verified-insecure rather than just stopping on the query failure, I would be OK. The phenomenon of ostensibly "high-performance" or "locked-down" DNS servers that don't support enough of the protocol to prove the non-use of opt-in schemes has not appeared yet for secure zones. Let's hope it never does. > and > on some public access points I cannot get through to DNSSEC at all. But this problem isn't going away any time soon. -- Matt _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
