On 22. 8. 2013, at 21:59, [email protected] wrote: > Our browsers give us the option to trust invalid TLS certificates, some > even storing it indefinitely. Is an NTA much different?
And in certain circles it's considered by one of the biggest mistakes that could have happened, and the reason why the whole PKI fails so hard now. On the other hand we have a set of scripts that monitor the domains in .CZ zones and they rip-off the DNSSEC from the domain if a set of conditions are fullfilled: - the validation fails for a defined time - the KEYSET matches the manually defined regex for automatic registrar keys (And we have an agreement from our registrars who do by-default signing that it's ok.) We have also added a trigger that removes KEYSET when NSSET changes (and KEYSET is not updates in the same go). So our experience is that most of the errors come from badly managed transfers, and that set of workarounds fixed most of it. So our view is that it's more an operational problem on the parent side than on resolver side. O. -- Ondřej Surý -- Chief Science Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:[email protected] http://nic.cz/ tel:+420.222745110 fax:+420.222745112 -------------------------------------------
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
