On Fri, Jan 18, 2013 at 09:08:37AM +1100,
Mark Andrews wrote
a message of 38 lines which said:
> .mm failed to re-sign their DNSKEY RRset.
Note that, because Unbound is tolerant by default ("10 % rule"),
Unbound users will see the problem only on Sunday:
# BIND
% dig @149.20.64.20 DNSKEY mm
On Jan 17 2013, Mark Andrews wrote:
.mm failed to re-sign their DNSKEY RRset.
Not for the first time - see
https://lists.dns-oarc.net/pipermail/dns-operations/2012-July/008632.html
and following. I wrote then
| I noticed this only because http://stats.research.icann.org/dns/tld_report/
| dr
On Jan 18 2013, Stephane Bortzmeyer wrote:
On Fri, Jan 18, 2013 at 09:08:37AM +1100,
Mark Andrews wrote
a message of 38 lines which said:
.mm failed to re-sign their DNSKEY RRset.
Note that, because Unbound is tolerant by default ("10 % rule"),
Unbound users will see the problem only on S
Chris Thompson wrote on 01/18/2013 10:06:25 AM:
> Is fudging the expiry times like that really a good idea? If all
> all validators allowed a 10% overrun, DNS operators would just
> get 10% sloppier and we would back where we started.
In some percentage of cases, that will most likely be true. I
It's an acceptable idea - certainly not a bad one.
Adding security to an existing system will, inherently, make it more brittle.
What ever can be done to soften the brittleness while retaining the basic need
for security should be done for the sake of resilience and availability of the
system
On Jan 18, 2013, at 11:05 AM, Edward Lewis wrote:
> Adding security to an existing system will, inherently, make it more brittle.
I strongly disagree with this statement. Increasing resilience under duress
should be a key goal of any security enhancement; if it doesn't do this, then
it hasn'
On Jan 18, 2013, at 12:18, Dobbins, Roland wrote:
>
> On Jan 18, 2013, at 11:05 AM, Edward Lewis wrote:
>
>> Adding security to an existing system will, inherently, make it more
>> brittle.
>
> I strongly disagree with this statement. Increasing resilience under duress
> should be a key go
In message ,
wbr...@e1b.org writes:
> Chris Thompson wrote on 01/18/2013 10:06:25 AM:
>
> > Is fudging the expiry times like that really a good idea? If all
> > all validators allowed a 10% overrun, DNS operators would just
> > get 10% sloppier and we would back where we started.
10% of what.
> From: Mark Andrews
> sign the zone two weeks ago they should have gone insecure by having
> the DS records pulled from the root. There is no valid excuse for
> letting your zone go to invalid.
That's as true saying there's no valid excuse for making any error.
A better way to state that truth
...
Vernon Schryver wrote:
> ...
>>> I think this comes under "be liberal in what you accept."
>> No it doesn't.
>
> Indeed, "be liberal in what you accept" generally never has and should
> not apply to security. Who is liberal enough to accept passwords that
> are 90% right and public keys that
On 2013-01-19, at 06:05, Edward Lewis wrote:
> The posed question is whether expanding the lifetime of a signature by "10%"
> is a good idea.
I'll assume (since I didn't see the original mail) that the proposal is to make
validators tolerant by 10%, rather than to change anything on the autho
On 18 January 2013 16:59, wrote:
> Chris Thompson wrote on 01/18/2013 10:06:25 AM:
>
>> Is fudging the expiry times like that really a good idea? If all
>> all validators allowed a 10% overrun, DNS operators would just
>> get 10% sloppier and we would back where we started.
>
> In some percentage
12 matches
Mail list logo
