[dns-operations] .mm off the air for anyone who validates

Warren Kumari warren at kumari.net
Sat Jan 19 18:21:18 UTC 2013


On Jan 19, 2013, at 12:18 AM, Mike Jones <mike at mikejones.in> wrote:

> On 18 January 2013 16:59,  <WBrown at e1b.org> wrote:
>> Chris Thompson wrote on 01/18/2013 10:06:25 AM:
>> 
>>> Is fudging the expiry times like that really a good idea? If all
>>> all validators allowed a 10% overrun, DNS operators would just
>>> get 10% sloppier and we would back where we started.
>> 
>> In some percentage of cases, that will most likely be true.  In others,
>> there may be an extenuating circumstance that delays the process.
>> 
>> I think this comes under "be liberal in what you accept."
> 
> It's being a bit too liberal if you accept a signature that doesn't
> validate as if it was valid, I suspect (without confirming with the
> authors) that the 10% fudge is probably more about clock inaccuracy
> than anything else. The signatures should have been re-signed before
> they expired, even if some subset of resolvers are willing to accept a
> recently valid signature as being the same as a currently valid one.
> 
> If I walk in to a shop with a discount voucher that says it expired
> yesterday and I argued "well it was valid yesterday" I doubt many
> places would respond with "oh, well in that case it's obviously valid
> then".
> 

Actually, a large number of retailers will accept expired coupons and discounts, including many CVS, Bed Bath and Beyond, Harmon, Bath and Body Works, etc..

Now, that is their choice -- having someone decide for them whether or not they will accept the discount (which is IMO more like the Inbound case) would be different.

W
> If I administer a DNS zone and I know I can probably sign once per
> week but occasionally it might be delayed, then I would be stupid to
> only sign for 1 week at a time expecting everyone to continue to
> accept my invalid signatures until I get around to fixing it. If it
> could potentially take up to 6 months before you can get around to
> re-signing your zone, then you should factor that in to your expiry
> dates (and consider fixing whatever processes take you that long to
> get a zone signed!)
> 
> - Mike
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 

--
Curse the dark, or light a match. You decide, it's your dark.
                -- Valdis Kletnieks





More information about the dns-operations mailing list