In message <201302070048.r170mosg004...@calcite.rhyolite.com>, Vernon Schryver
writes:
> My view is that if an outfit has so few other users that it doesn't
> hear when things breaks and doesn't care enough to monitor, then it's
> not worth my time to be a pest. By time I notice a problem with a
> From: Mark Andrews
> > All of that gets back to honesty being the best policy and letting other
> > people fix their own stuff in their own time.
>
> And the more people that validate the bigger the peer presure will
> be to fix dnssec problems promptly. However to do that you need
> working w
In message <201302062107.r16l7f9b066...@calcite.rhyolite.com>, Vernon Schryver
>
> All of that gets back to honesty being the best policy and letting other
> people fix their own stuff in their own time.
And the more people that validate the bigger the peer presure will
be to fix dnssec problem
] from Augie Schwer
] Is there a way to exclude a domain from DNSSEC validation, like
] Unbound's "domain-insecure"?
Unless you start at the root with your own forged root trust anchor,
you cannot do more than lie to DNS clients that rely on you to
validate. DNS clients th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 2013-02-05 at 17:01 -0800, Augie Schwer wrote:
> Is there a way to exclude a domain from DNSSEC validation, like
> Unbound's "domain-insecure"?
I have not tested this, but if you use RPZ to block the DS record for
nasa.
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's "domain-insecure"?
For example if a popular site ( say nasa.gov ) updates their keys
incorrectly so that their domain fails validation, you contact their
admins. and with a high level of confidence you dete
On 30/4/12 13:56 , Chris Thompson wrote:
>> http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01
>>
>> Being actively discussed on DNSOP list
>
> It *was* being actively discussed there, up until about 10 days ago. Since
> then the participants seem to have stopped, maybe from
On Apr 30 2012, Warren Kumari wrote:
On Apr 26, 2012, at 2:51 PM, Jan-Piet Mens wrote:
[...]
From a Comcast talk at SATIN 2012 I believe they called that a "negative
trust anchor", and IIRC, the author wanted to publish a draft of its
operation. Haven't seen it yet though, and it's probably of
On Apr 26, 2012, at 2:51 PM, Jan-Piet Mens wrote:
> Augie,
>
>> Is there a way to exclude a domain from DNSSEC validation, like
>> Unbound's "domain-insecure"?
>
> That is regrettably not possible at the moment, at least not in BIND
> 9.9.0.
>
>
Jan-Piet Mens wrote:
>
> From a Comcast talk at SATIN 2012 I believe they called that a "negative
> trust anchor", and IIRC, the author wanted to publish a draft of its
> operation.
http://tools.ietf.org/html/draft-livingood-negative-trust-anchors
There has been a lot of discussion on the IETF d
2012 2:51 PM
>Subject: Re: Exclude a domain from DNSSEC validation, like Unbound's
>"domain-insecure".
>
>Augie,
>
>> Is there a way to exclude a domain from DNSSEC validation, like
>> Unbound's "domain-insecure"?
>
>That is regre
Augie,
> Is there a way to exclude a domain from DNSSEC validation, like
> Unbound's "domain-insecure"?
That is regrettably not possible at the moment, at least not in BIND
9.9.0.
The only (quite impracticable) workaround would be to define the zone
authoritatively you
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's "domain-insecure"?
For example if a popular site ( say nasa.gov ) updates their keys
incorrectly so that their domain fails validation, you contact their
admins. and with a high level of confidence you dete
13 matches
Mail list logo
