Microsoft deems all DigiNotar certificates untrustworthy, releases updates
Mark Andrews
marka at isc.org
Sun Sep 11 23:25:23 UTC 2011
In message <146102.1315769526 at turing-police.cc.vt.edu>, Valdis.Kletnieks at vt.edu
writes:
> (*) Has anybody actually enabled "only accept DNSSEC-signed A records"
> on an end user system and left it enabled for more than a day before
> giving up in disgust? ;)
No. But I run with "reject anything that doesn't validate" and
have for several years now and that doesn't suck. We will never
be in a world where all DNS records validate unless we do DNSng and
that DNSng requires that all answers be signed.
Except as a academic exercise, I would never expect anyone would
configure a validator to require that all answers validate as secure.
DNSSEC gives you "provable secure", "provable insecure" and "bogus".
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list