On 01/19/2013 09:28 PM, Matthäus Wander wrote: > I think it's more like "I'll tolerate an expired signature for 10% of > the original validity period and use that extra time to let other people > notice and fix it". > Assuming that 1) the majority of validators do *not* tolerate expired > signatures and 2) most DNSSEC failures are fixed within that 10%, it is > a way to trade off reliability vs. security.
That's rather reminiscent of parents who don't get their children vaccinated for fear of side-effects and instead rely on *other* children being vaccinated. Being tolerant to garbled input is what caused the sorry mess of HTML, with its quirk parsing modes and incompatibilities. > It's not cool to be one of the few resolvers suffering from DNSSEC > configuration errors that other people caused, while all the > non-validating resolvers seem to work fine. The security benefit is > hardly noticed by users outside of the DNS community as long as > applications are not showing green DNSSEC icons or other gizmos. I used to work for the first major ISP here that switched DNSSEC validation on, so I can only commiserate with you :). Jarda Benkovsky _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
