> From: Mark Andrews <ma...@isc.org> > sign the zone two weeks ago they should have gone insecure by having > the DS records pulled from the root. There is no valid excuse for > letting your zone go to invalid.
That's as true saying there's no valid excuse for making any error. A better way to state that truth is that excuses are irrelevant except to judges delivering sentences, and DNS clients aren't judges. As far as DNS clients concerned, either the DNSSEC chain is valid or they have a sign of evil. Maybe bad guys are doing something that depends on preventing the publication of new DNSSEC RRs. Maybe it's some kind of replay attack to allow exploiting a DANE TLSA cert whose private key has been compromised. > > I think this comes under "be liberal in what you accept." > > No it doesn't. Indeed, "be liberal in what you accept" generally never has and should not apply to security. Who is liberal enough to accept passwords that are 90% right and public keys that were revoked only 10% of something ago? Should it be enough that 90% of a DNSSEC chain verifies? Expired keys are not the same as signatures that don't verify, but the principle is the same. Either the chain is valid, or all of the security proofs that depend on it are invalid. Vernon Schryver v...@rhyolite.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
