Microsoft deems all DigiNotar certificates untrustworthy, releases updates

• Previous message (by thread): Microsoft deems all DigiNotar certificates untrustworthy, releases updates
• Next message (by thread): Microsoft deems all DigiNotar certificates untrustworthy, releases updates
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <146102.1315769526 at turing-police.cc.vt.edu>, Valdis.Kletnieks at vt.edu
 writes:
> (*) Has anybody actually enabled "only accept DNSSEC-signed A records"
> on an end user system and left it enabled for more than a day before
> giving up in disgust? ;)

No.  But I run with "reject anything that doesn't validate" and
have for several years now and that doesn't suck.  We will never
be in a world where all DNS records validate unless we do DNSng and
that DNSng requires that all answers be signed.

Except as a academic exercise, I would never expect anyone would
configure a validator to require that all answers validate as secure.

DNSSEC gives you "provable secure", "provable insecure" and "bogus".

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Microsoft deems all DigiNotar certificates untrustworthy, releases updates
• Next message (by thread): Microsoft deems all DigiNotar certificates untrustworthy, releases updates
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]