[Dnssec-deployment] RRSIG for arpa expired

Andrew Sullivan ajs at shinkuro.com
Mon Jun 7 14:38:56 EDT 2010


On Mon, Jun 07, 2010 at 01:15:12PM -0500, Michael Graff wrote:
> It doesn't have to stay this way, but I think today, with the current
> tools, this is a reasonable request.

I get the argument, for sure.  But I do seriously wonder whether the
claim "it doesn't have to stay this way" is borne out by any empirical
evidence.  I suspect that if we deploy DNSSEC in a mode where positive
validation happens but validation failures are treated as soft errors,
we'll live with that mode of operation effectively forever.

A

-- 
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.


More information about the Dnssec-deployment mailing list