In message <532c3631-d503-4dc0-88c9-600a90564...@kumari.net>, Warren Kumari wri tes: > > On May 10, 2012, at 12:52 PM, wbr...@e1b.org wrote: > > > Warren wrote on 05/10/2012 11:50:30 AM: > > = > > >> Nope -- Comcast does a large amount of checking before turning off = > > >> validation for a failing domain. = > > >> This is (IMO) more secure than the alternative, which is to simply = > > >> leave it failing, and have users move to a non-validatiing resolver = > > > instead? > > = > > > Does Comcast have a process to re-enable validation once the issue is = > > > resolved? > > = > > > Yup. > > They have an overview of the technique here: http://tools.ietf.org/html/dra= > ft-livingood-negative-trust-anchors-01 > and there have been discussions on it on DNSOP, starting here: http://www.i= > etf.org/mail-archive/web/dnsop/current/msg09489.html > and then continuing on, basically forever=85 > > This doesn't really talk to their policies in depth, but they do have reasn= > able (and sane) policies=85 > > > W
It's also not a proceedure that will scale. It also impacted on any down stream validators. Note doing this will mark any data as insecure so as long as the application is paying attention to the security status of the data returned, and it should be if it is depending apon it, there should be no issues other than what would occur if a trust anchor was removed. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users