Anand Buddhdev anandb at ripe.net
Thu May 10 16:24:53 UTC 2012

On 10/05/2012 17:20, Daniel Ryšlink wrote:

> What's the point of DNSSec when resolver administrators configure
> exceptions on regular basis? If you can't be sure when your resolver
> does or does not validate, why having signed zones in the first place?
> It's just seems to be another "shared illusion of security" similar to PKI.


For many companies the bottom line is revenue. If a large ISP's
customers can't resolve some popular domains, and start calling to
complain, it would flood their helpdesks, and they would lose revenue.
They cannot afford to be idealists.

Comcast has taken a pragmatic view. I'm glad to see they've turned on
validation, but I can see why they need to configure exceptions. Without
being able to manage exceptions, large ISPs are not going to turn on



More information about the bind-users mailing list