[dnssec-deployment] Fwd: [IP] Good Always Comes Out of Bad
Mark_Andrews at isc.org
Mon Jun 30 00:08:03 EDT 2008
> On Mon, Jun 30, 2008 at 02:37:51AM +0000, Paul Vixie wrote:
> > > Well just making sure the new NS RRset matches that advertised
> > > by the existing and new servers would provide some benefit.
> > > Registrars which do this have a level of immunity to a set
> > > of attacks. Signed responses improved the immunity still
> > > further.
> > >
> > > Note having the old servers advertise the new NS RRset is just
> > > good management practice.
> but, unfortunately, not always possible.
True, but only in exceptional circumstances. Under normal operating
procedures you have control of both new and old servers. Failure
to have such control should trigger red flag and extra vetting of
> > > Mark
> > perhaps if there were an RFC covering those recommendations, subject to
> > the usual IETF peer review, then they could have some impact on rollout.
> Its certainly another step in turning the "Engineering" into
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the Dnssec-deployment