In message <532c3631-d503-4dc0-88c9-600a90564...@kumari.net>, Warren Kumari wri
tes:
> 
> On May 10, 2012, at 12:52 PM, wbr...@e1b.org wrote:
> 
> > Warren wrote on 05/10/2012 11:50:30 AM:
> > =
> 
> >> Nope -- Comcast does a large amount of checking before turning off =
> 
> >> validation for a failing domain. =
> 
> >> This is (IMO) more secure than the alternative, which is to simply =
> 
> >> leave it failing, and have users move to a non-validatiing resolver =
> 
> > instead?
> > =
> 
> > Does Comcast have a process to re-enable validation once the issue is =
> 
> > resolved?
> > =
> 
> 
> Yup.
> 
> They have an overview of the technique here: http://tools.ietf.org/html/dra=
> ft-livingood-negative-trust-anchors-01
> and there have been discussions on it on DNSOP, starting here: http://www.i=
> etf.org/mail-archive/web/dnsop/current/msg09489.html
> and then continuing on, basically forever=85
> 
> This doesn't really talk to their policies in depth, but they do have reasn=
> able (and sane) policies=85
> 
> 
> W

It's also not a proceedure that will scale.  It also impacted on
any down stream validators.

Note doing this will mark any data as insecure so as long as the
application is paying attention to the security status of the data
returned, and it should be if it is depending apon it, there should
be no issues other than what would occur if a trust anchor was
removed.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to