[dns-operations] 10% was Re: .mm ....

Jaroslav Benkovský jaroslav.benkovsky at nic.cz
Mon Jan 21 10:26:05 UTC 2013

On 01/19/2013 09:28 PM, Matthäus Wander wrote:
> I think it's more like "I'll tolerate an expired signature for 10% of
> the original validity period and use that extra time to let other people
> notice and fix it".
> Assuming that 1) the majority of validators do *not* tolerate expired
> signatures and 2) most DNSSEC failures are fixed within that 10%, it is
> a way to trade off reliability vs. security.

That's rather reminiscent of parents who don't get their children
vaccinated for fear of side-effects and instead rely on *other* children
being vaccinated.

Being tolerant to garbled input is what caused the sorry mess of HTML,
with its quirk parsing modes and incompatibilities.

> It's not cool to be one of the few resolvers suffering from DNSSEC
> configuration errors that other people caused, while all the
> non-validating resolvers seem to work fine. The security benefit is
> hardly noticed by users outside of the DNS community as long as
> applications are not showing green DNSSEC icons or other gizmos.

I used to work for the first major ISP here that switched DNSSEC
validation on, so I can only commiserate with you :).

Jarda Benkovsky

More information about the dns-operations mailing list