Stephan, On Apr 15, 2012, at 9:36 AM, Stephan Lagerholm wrote: > David Conrad, Sunday, April 15, 2012 11:15 AM: >> I suspect that in most cases, grepping through logs and comparing past >> (validated) results with current (unvalidated) results can provide >> sufficient information to ensure to an arbitrary level of certainty >> that the bad thing either is or is not happening. > > -1 on that approach.
The alternative is for names in the zone in question to not exist resulting in your customer support center to receiving some number of calls and/or customers bolting to service providers that don't do validation. At the current state of DNSSEC deployment, I suspect it is far more likely that the zone owner has screwed something up. Validator operators that deploy NTAs are implicitly assuring their customers that the zone in question is actually safe. This presumably implies they will do some level of due diligence to ensure that names in that zone are indeed safe. How much due diligence they do is, of course, their own business decision. > You are turning off DNSSEC for the entire domain. Just spot checking > mail.example.com and www.example.com is not sufficient. They might still > be valid whereas moneytransfersystem.example.com is not. And your dig > checks are not secure since you can't validate (since DNSSEC is broken). DNSSEC is broken for that zone. Without NTAs, you have the choice of either the alternative above or turning off DNSSEC for all zones. Which would you prefer? Regards, -drc _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
