[108037] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: hat tip to .gov hostmasters

daemon@ATHENA.MIT.EDU (Mark Andrews)
Mon Sep 22 19:32:36 2008

Date: Tue, 23 Sep 2008 09:32:23 +1000 (EST)
From: Mark Andrews <marka@isc.org>
To: nanog@nanog.org
In-Reply-To: <82ljxkjjan.fsf@mid.bfk.de>
Cc: 
Errors-To: nanog-bounces@nanog.org

In article <82ljxkjjan.fsf@mid.bfk.de> you write:
>* marcus sachs:
>
>> While we wait for applications to become DNSSEC-aware,
>
>Uhm, applications shouldn't be DNSSEC-aware.  Down that road lies
>madness.  What should an end user do when the browser tells him,
>"Warning: Could not validate DNSSEC signature on www.example.com,
>signature has expired.  Continue to connect?"

	The application just rejects the answer.  Trys again a
	couple of times then reports failure.  This is no different
	to the application talking to the validating resolver a
	couple of time and then reporting failure.

	The advantage of having the application do it is that you
	don't need to secure the connection between the validating
	resolver and the application.

	Mark


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[108037] in North American Network Operators' Group

Re: hat tip to .gov hostmasters

daemon@ATHENA.MIT.EDU (Mark Andrews)Mon Sep 22 19:32:36 2008

daemon@ATHENA.MIT.EDU (Mark Andrews)
Mon Sep 22 19:32:36 2008