On 5/14/20 4:50 PM, Bob Harold wrote:
> I am preparing to enable DNSSEC validation, so I am working on alerts
> for failed validations, so I can see whether they are user errors
> (that might need negative trust anchors or other exceptions) or actual
> attacks.
> But it seems that the "dnssec" cate
I am preparing to enable DNSSEC validation, so I am working on alerts for
failed validations, so I can see whether they are user errors (that might
need negative trust anchors or other exceptions) or actual attacks.
But it seems that the "dnssec" category logs all sorts of DNSSEC issues,
even if th
On Thu, May 14, 2020 at 10:25 AM Mukund Sivaraman wrote:
> Hi Bob
>
> On Thu, May 14, 2020 at 10:02:45AM -0400, Bob Harold wrote:
> > I am preparing to enable DNSSEC validation, so I am working on alerts for
> > failed validations, so I can see whether they are user errors (that might
> > need ne
Hi Bob
On Thu, May 14, 2020 at 10:02:45AM -0400, Bob Harold wrote:
> I am preparing to enable DNSSEC validation, so I am working on alerts for
> failed validations, so I can see whether they are user errors (that might
> need negative trust anchors or other exceptions) or actual attacks.
>
> I st
I am preparing to enable DNSSEC validation, so I am working on alerts for
failed validations, so I can see whether they are user errors (that might
need negative trust anchors or other exceptions) or actual attacks.
I stumbled on "mff.cuni.cz" which has RRSIG records that expired 3 months
ago, but
I think making this document a standard would be a mistake.
I think NOT publishing this document at all would be a BAD thing.
I support adoption and will review and continue to agrue against standards
track.
+1 on what's said here.
/Miek
--
Miek Gieben
__
