Doug, On Apr 13, 2012, at 6:51 PM, Doug Barton wrote: > The problem is that there is absolutely no way for an ISP to determine > conclusively that the failure they are seeing is due to a harmless stuff-up, > vs. an actual security incident.
I suspect that in most cases, grepping through logs and comparing past (validated) results with current (unvalidated) results can provide sufficient information to ensure to an arbitrary level of certainty that the bad thing either is or is not happening. For example, if the logs show the IP address for mail.example.com maps via whois into a block owned by Example, LLC. and the current IP address maps into a block owned by a dialup provider in Tajikistan, it's probably safe to assume the address shouldn't be trusted. > IOW, if we do this, we might as well just abandon DNSSEC altogether. Joe has pointed out that folks are already doing this. The question before us is whether or not there is a standard way of doing it. >> I would be surprised if folks who implement >> NTAs will stop using them if they are not accepted by the IETF. > > Actually I think what's more likely to happen is that organizations > conclude that validation is not ready for prime time, and turn it off. I guess I have less faith in the power of the IETF. Regards, -drc _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
