Shumon (& also replying to Viktor), On Nov 10, 2014, at 1:18 PM, Shumon Huque <[email protected]<mailto:[email protected]>> wrote:
My site (www.huque.com<http://www.huque.com/>.) also falls into that latter category. The annotation on Dan York's page should be updated - it currently says I don't have a secure delegation, which was true at one time in the past (blame a DNSSEC oblivious registrar), but no longer. Yes, I noticed that when I looked at Viktor's test results this morning. I updated the page to move your site into the appropriate category: http://www.internetsociety.org/deploy360/resources/dane-test-sites/ Based on Viktor's recent test (Thank you, Viktor!), I'm updating the page with other information. I find it interesting that 3 of the 5 out-of-date sites would seem to be be operational errors. Two of the sites Viktor tags as: - Recent key rotation, no corresponding TLSA RR update. and one is: - Certificate unrelated to TLSA RR. All of these would seem to be related to operational processes where some part of the security layers get updated without other corresponding layers being also updated. I don't know that this is really anything that we as the IETF can do anything to help with... but it's interesting to understand where the breakdown in the process occurs. Dan
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
