[Dnssec-deployment] Analysis of NASA.GOV DNSSEC Issue 18-Jan-2012
Andre Grueneberg
list.dnssec-deployment at grueneberg.de
Fri Jan 27 19:15:28 EST 2012
Livingood, Jason wrote:
> This is where validation implementers like me need to do some creative
> thinking (with help from folks here of course). It'll probably take a lot
> of experimentation to figure out the right way(s) to do so, but this is
> where the work is I think. And getting it right will prevent a lot of
> customer calls and upset.
How about some browser facility to initiate an additional query with CD
flag set. If this yields a different result: inidicate DNSSEC issue. A
bit like Certificate validation failures.
Okay, this opens potential for people to ignore the hard failure in
recursor validation. [I know, people are used to ignore warnings]
Anyway, we'd have default: hard failure, optional: more information and
temporary circumvention if application supports it.
Andre
--
Control Character: Maxwell Smart, Agent 86.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20120128/eda5bb61/attachment.bin
More information about the Dnssec-deployment
mailing list