[dns-operations] .mm off the air for anyone who validates
warren at kumari.net
Sat Jan 19 18:21:18 UTC 2013
On Jan 19, 2013, at 12:18 AM, Mike Jones <mike at mikejones.in> wrote:
> On 18 January 2013 16:59, <WBrown at e1b.org> wrote:
>> Chris Thompson wrote on 01/18/2013 10:06:25 AM:
>>> Is fudging the expiry times like that really a good idea? If all
>>> all validators allowed a 10% overrun, DNS operators would just
>>> get 10% sloppier and we would back where we started.
>> In some percentage of cases, that will most likely be true. In others,
>> there may be an extenuating circumstance that delays the process.
>> I think this comes under "be liberal in what you accept."
> It's being a bit too liberal if you accept a signature that doesn't
> validate as if it was valid, I suspect (without confirming with the
> authors) that the 10% fudge is probably more about clock inaccuracy
> than anything else. The signatures should have been re-signed before
> they expired, even if some subset of resolvers are willing to accept a
> recently valid signature as being the same as a currently valid one.
> If I walk in to a shop with a discount voucher that says it expired
> yesterday and I argued "well it was valid yesterday" I doubt many
> places would respond with "oh, well in that case it's obviously valid
Actually, a large number of retailers will accept expired coupons and discounts, including many CVS, Bed Bath and Beyond, Harmon, Bath and Body Works, etc..
Now, that is their choice -- having someone decide for them whether or not they will accept the discount (which is IMO more like the Inbound case) would be different.
> If I administer a DNS zone and I know I can probably sign once per
> week but occasionally it might be delayed, then I would be stupid to
> only sign for 1 week at a time expecting everyone to continue to
> accept my invalid signatures until I get around to fixing it. If it
> could potentially take up to 6 months before you can get around to
> re-signing your zone, then you should factor that in to your expiry
> dates (and consider fixing whatever processes take you that long to
> get a zone signed!)
> - Mike
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
Curse the dark, or light a match. You decide, it's your dark.
-- Valdis Kletnieks
More information about the dns-operations