David Conrad, Sunday, April 15, 2012 11:15 AM: > I suspect that in most cases, grepping through logs and comparing past > (validated) results with current (unvalidated) results can provide > sufficient information to ensure to an arbitrary level of certainty > that the bad thing either is or is not happening. For example, if the > logs show the IP address for mail.example.com maps via whois into a > block owned by Example, LLC. and the current IP address maps into a > block owned by a dialup provider in Tajikistan, it's probably safe to > assume the address shouldn't be trusted. -1 on that approach.
You are turning off DNSSEC for the entire domain. Just spot checking mail.example.com and www.example.com is not sufficient. They might still be valid whereas moneytransfersystem.example.com is not. And your dig checks are not secure since you can't validate (since DNSSEC is broken). The requirement for an NTA (or for removing a DS from a parent) should be as strict as for adding a DS. That is, it must be done with an secure out of band mechanism. /S _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
