[Dnssec-deployment] Expired RRSIGs for .be

bert hubert bert.hubert at netherlabs.nl
Mon Oct 11 02:09:59 EDT 2010


On Mon, Oct 11, 2010 at 01:35:02AM -0400, Paul Wouters wrote:
> In the near future, they will notice the severe lack of emails from ANYONE......

A word from the operational internet access provider world - as long as this
kind of signature expiry thing keeps happening, validation will not be
turned on.

A single customer outage interaction is costed at upwards of $10. Annual
profits per subscriber are in the same dimension as that amount.

So do not count on large scale validation to force people to clean up their
act.

It is more the other way around, as long as DNSSEC causes outages for
validators, commercial access providers will not turn on validation.

I punted the 'negative/null TAR' idea at ICANN in Brussels where domains
could centrally publish, in an authenticated fashion, that they've messed up
their DNSSEC and would like a free pass instantly until they've figured it
out.

This might help.

	Bert


More information about the Dnssec-deployment mailing list