Warren Kumari warren at kumari.net
Thu May 10 19:04:01 UTC 2012

On May 10, 2012, at 12:52 PM, WBrown at e1b.org wrote:

> Warren wrote on 05/10/2012 11:50:30 AM:
>> Nope -- Comcast does a large amount of checking before turning off 
>> validation for a failing domain. 
>> This is (IMO) more secure than the alternative, which is to simply 
>> leave it failing, and have users move to a non-validatiing resolver 
> instead?
> Does Comcast have a process to re-enable validation once the issue is 
> resolved?


They have an overview of the technique here: http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01
and there have been discussions on it on DNSOP, starting here: http://www.ietf.org/mail-archive/web/dnsop/current/msg09489.html
and then continuing on, basically forever…

This doesn't really talk to their policies in depth, but they do have reasnable (and sane) policies…


> Confidentiality Notice: 
> This electronic message and any attachments may contain confidential or 
> privileged information, and is intended only for the individual or entity 
> identified above as the addressee. If you are not the addressee (or the 
> employee or agent responsible to deliver it to the addressee), or if this 
> message has been addressed to you in error, you are hereby notified that 
> you may not copy, forward, disclose or use any part of this message or any 
> attachments. Please notify the sender immediately by return e-mail or 
> telephone and delete this message from your system.

More information about the bind-users mailing list