On 23.08.13 03:07, Vernon Schryver wrote:
From: Suzanne Woolf <wo...@isc.org>
I don't like it either, but it limits the damage done by a DNSSEC =
failure to status quo ante rather than something worse.
That is mistaken. You get the status quo ante by simply turning
off validation.
It seems, discussions like this are the result of half-way implementing
DNSSEC so far.
Thing is, today we mostly make use of DNSSEC validation at the 'large'
caching resolver sites. Those are services, that serve lots of people
and if someone has "any" problem, they do call. It is all too easy to
point at DNSSEC and demand it ignored.
When/If we get to a more full DNSSEC deployment, where the validation
happens on each individual end node, then each individual end user can
make their own choice whether to validate or not, there won't be need
for any such bypassing technologies at the service level and nobody's
phone will ring for problems they did not create.
But in order to arrive at this level of deployment, we need to convince
application developers that DNSSEC is already stable target. Inventing
more and more knobs does not signal exactly that.
Of course, it will help having validating local resolvers in most major
platforms :)
Daniel
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
