[Dnssec-deployment] Expired RRSIGs for .be

bert hubert bert.hubert at netherlabs.nl
Mon Oct 11 02:09:59 EDT 2010

On Mon, Oct 11, 2010 at 01:35:02AM -0400, Paul Wouters wrote:
> In the near future, they will notice the severe lack of emails from ANYONE......

A word from the operational internet access provider world - as long as this
kind of signature expiry thing keeps happening, validation will not be
turned on.

A single customer outage interaction is costed at upwards of $10. Annual
profits per subscriber are in the same dimension as that amount.

So do not count on large scale validation to force people to clean up their

It is more the other way around, as long as DNSSEC causes outages for
validators, commercial access providers will not turn on validation.

I punted the 'negative/null TAR' idea at ICANN in Brussels where domains
could centrally publish, in an authenticated fashion, that they've messed up
their DNSSEC and would like a free pass instantly until they've figured it

This might help.


More information about the Dnssec-deployment mailing list