On 10/05/2012 17:20, Daniel Ryšlink wrote: > What's the point of DNSSec when resolver administrators configure > exceptions on regular basis? If you can't be sure when your resolver > does or does not validate, why having signed zones in the first place? > It's just seems to be another "shared illusion of security" similar to PKI.
Daniel, For many companies the bottom line is revenue. If a large ISP's customers can't resolve some popular domains, and start calling to complain, it would flood their helpdesks, and they would lose revenue. They cannot afford to be idealists. Comcast has taken a pragmatic view. I'm glad to see they've turned on validation, but I can see why they need to configure exceptions. Without being able to manage exceptions, large ISPs are not going to turn on validation. Regards, Anand _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
