return address for failed DNSSEC validation
Mark Andrews
marka at isc.org
Fri Mar 12 01:59:33 UTC 2010
In message <barmar-151BA5.20443611032010 at news.eternal-september.org>, Barry Mar
golin writes:
> In article <mailman.792.1268343500.21153.bind-users at lists.isc.org>,
> Mark Andrews <marka at isc.org> wrote:
>
> > No. It's I've tried real hard to get you a answer which is not a
> > forgery but I can't.
>
> Not really. It's "I've tried real hard to get you an answer that I can
> *tell* is not a forgery, but I can't." When validation fails, which is
> really more likely, that it's a forgery or that the DNS administrator
> screwed up?
>
> When website admins mess up certificates, the browser alerts the user
> and gives them the option of ignoring the error. DNSSEC validation
> doesn't have the same kind of continuation option.
And that this just plain bad security practices. If the wrong CERT
is presented then the client should just fail. Even when you report
the error to the administrator of the site they just ignore it
because they know you can work around it. Even Verisign does this
this sort of thing.
If you don't give a work around then operators will fix the issue.
> --
> Barry Margolin, barmar at alum.mit.edu
> Arlington, MA
> *** PLEASE don't copy me on replies, I'll read them in the group ***
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list