return address for failed DNSSEC validation

Barry Margolin barmar at alum.mit.edu
Fri Mar 12 01:44:36 UTC 2010


In article <mailman.792.1268343500.21153.bind-users at lists.isc.org>,
 Mark Andrews <marka at isc.org> wrote:

> No.  It's I've tried real hard to get you a answer which is not a
> forgery but I can't.

Not really.  It's "I've tried real hard to get you an answer that I can 
*tell* is not a forgery, but I can't."  When validation fails, which is 
really more likely, that it's a forgery or that the DNS administrator 
screwed up?

When website admins mess up certificates, the browser alerts the user 
and gives them the option of ignoring the error.  DNSSEC validation 
doesn't have the same kind of continuation option.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***



More information about the bind-users mailing list