I agree with this idea. Sorta like when a browser is presented with an invalid SSL cert by a website. It could be that you put in example.com when the cert is for www.example.com or in the case of a self-signed cert, as long as I am not giving them sensitive data, I, the user, can accept or deny the invalid cert. And we have the choice(at least in Firefox) to accept that invalid cert forever or just for the current session with that site.
I agree that this would be a useful feature. Maybe an add-on 'zone' file where we enumerate the broken domains we want to accept with an expiration date, not to exceed x numbers of days. That way we don't add a domain and mistype the expiration date or forget we created an exception for it. Lyle Giese LCR Computer Services, Inc. > > I did, and I disagree that it misses the point. > > I wanted a *short term* workaround for that zone, while the site fixed > their DNSSEC. I had satisfied myself that it was a DNSSEC signing > mistake, and faced an unpalatable choice - disable validation globally > for the duration of a single site repair period (sacrificing the > benefits of DNSSEC) or lose connectivity to that site. Had the site > been more "important" to us, it would have been no "choice" at all - I > would have been instructed to disable validation. > > I think DNSSEC is very important, but I also think mistakes will > happen, and that sites will want the ability to be forgiving for a > grace period. > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
