On May 10, 2012, at 12:52 PM, wbr...@e1b.org wrote: > Warren wrote on 05/10/2012 11:50:30 AM: > >> Nope -- Comcast does a large amount of checking before turning off >> validation for a failing domain. >> This is (IMO) more secure than the alternative, which is to simply >> leave it failing, and have users move to a non-validatiing resolver > instead? > > Does Comcast have a process to re-enable validation once the issue is > resolved? >
Yup. They have an overview of the technique here: http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01 and there have been discussions on it on DNSOP, starting here: http://www.ietf.org/mail-archive/web/dnsop/current/msg09489.html and then continuing on, basically forever… This doesn't really talk to their policies in depth, but they do have reasnable (and sane) policies… W > > > Confidentiality Notice: > This electronic message and any attachments may contain confidential or > privileged information, and is intended only for the individual or entity > identified above as the addressee. If you are not the addressee (or the > employee or agent responsible to deliver it to the addressee), or if this > message has been addressed to you in error, you are hereby notified that > you may not copy, forward, disclose or use any part of this message or any > attachments. Please notify the sender immediately by return e-mail or > telephone and delete this message from your system. > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users