[dns-operations] slack.com bogus
Paul Vixie
paul at redbarn.org
Thu Sep 30 21:51:33 UTC 2021
Paul Ebersman wrote on 2021-09-30 14:30:
> ...
>
> NTAs in production use aren't even vaguely new. They've been in wide use
> for 8-10 years that I'm aware of. They are part of why folks like
> google, cloudflare, comcast et al are willing to do DNSSEC validation in
> production.
i know that. i just don't like it. without backpressure, sloppiness will
normalize. (always.)
> Doing it automatically is bad, as per RFC 7646, but it is a valid
> response if it's a large site and mistake rather than malicious.
>
when considering only one's own ring queue / ticket queue, that's
certainly so.
i hope that there's a long enough long tail on NTA deployment that the
cost of getting one's keys or signatures mixed up is still horrific. i
don't know how to measure that.
vixie
--
Sent from Postbox <https://www.postbox-inc.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210930/399b33f7/attachment.html>
More information about the dns-operations
mailing list