Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Mark Andrews marka at
Sun Sep 11 23:25:23 UTC 2011

In message <146102.1315769526 at>, Valdis.Kletnieks at
> (*) Has anybody actually enabled "only accept DNSSEC-signed A records"
> on an end user system and left it enabled for more than a day before
> giving up in disgust? ;)

No.  But I run with "reject anything that doesn't validate" and
have for several years now and that doesn't suck.  We will never
be in a world where all DNS records validate unless we do DNSng and
that DNSng requires that all answers be signed.

Except as a academic exercise, I would never expect anyone would
configure a validator to require that all answers validate as secure.

DNSSEC gives you "provable secure", "provable insecure" and "bogus".

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the NANOG mailing list