[Dnssec-deployment] Expired RRSIGs for .be
bert.hubert at netherlabs.nl
Mon Oct 11 02:09:59 EDT 2010
On Mon, Oct 11, 2010 at 01:35:02AM -0400, Paul Wouters wrote:
> In the near future, they will notice the severe lack of emails from ANYONE......
A word from the operational internet access provider world - as long as this
kind of signature expiry thing keeps happening, validation will not be
A single customer outage interaction is costed at upwards of $10. Annual
profits per subscriber are in the same dimension as that amount.
So do not count on large scale validation to force people to clean up their
It is more the other way around, as long as DNSSEC causes outages for
validators, commercial access providers will not turn on validation.
I punted the 'negative/null TAR' idea at ICANN in Brussels where domains
could centrally publish, in an authenticated fashion, that they've messed up
their DNSSEC and would like a free pass instantly until they've figured it
This might help.
More information about the Dnssec-deployment