Tim, On Oct 29, 2014, at 2:55 PM, Morizot Timothy S <timothy.s.mori...@irs.gov> wrote: > If an authoritative domain (e.g. irs.gov) screwed up its delegation NS > records so it effectively went dark or made some similar sort of > authoritative DNS or nameserver error, we wouldn't expect the recursive, > caching side to resolve those sorts of errors. The domain's DNS would simply > be unavailable until they resolved their problem. > > I'm not sure I understand why DNSSEC is somehow different.
Because folks who aren't validating see no problems, thus discouraging people from leaving validation on. To wit, on NANOG: > From: Ray Van Dolson <rvandol...@esri.com> "I saw the same errors in dnsviz, but was unsure if they were sufficient to cause lookup failures (they were "warnings" only). # dig @8.8.8.8 disa.mil MX +dnssec ... I do note that once we disabled DNSSEC on our resolvers we were able to push mail out to these domains. May have been coincidental -- needs further testing." I figure it would be nice to give people the option of disabling validation for a single domain instead of turning validation off for everything. Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
