[144426] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy,
daemon@ATHENA.MIT.EDU (Mark Andrews)
Sun Sep 11 19:26:28 2011
To: Valdis.Kletnieks@vt.edu
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Sun, 11 Sep 2011 15:32:06 -0400."
<146102.1315769526@turing-police.cc.vt.edu>
Date: Mon, 12 Sep 2011 09:25:23 +1000
Cc: NANOG mailing list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <146102.1315769526@turing-police.cc.vt.edu>, Valdis.Kletnieks@vt.edu
writes:
> (*) Has anybody actually enabled "only accept DNSSEC-signed A records"
> on an end user system and left it enabled for more than a day before
> giving up in disgust? ;)
No. But I run with "reject anything that doesn't validate" and
have for several years now and that doesn't suck. We will never
be in a world where all DNS records validate unless we do DNSng and
that DNSng requires that all answers be signed.
Except as a academic exercise, I would never expect anyone would
configure a validator to require that all answers validate as secure.
DNSSEC gives you "provable secure", "provable insecure" and "bogus".
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
