Exclude a domain from DNSSEC validation, like Unbound's "domain-insecure".

Vernon Schryver vjs at rhyolite.com
Thu Feb 7 00:48:24 UTC 2013


> From: Mark Andrews <marka at isc.org>

> > All of that gets back to honesty being the best policy and letting other
> > people fix their own stuff in their own time.
>
> And the more people that validate the bigger the peer presure will
> be to fix dnssec problems promptly.  However to do that you need
> working whois services to be able to contact the administrators of
> the zone by other means.  Gov's whois service is a joke.  No contact
> information at all.  Can't even list the main switchboards?

For better or worse, useful WHOIS data is a lost cause.  Spammer
fighters too stupid or egotistical to understand or admit how easy it
has always been and always will be for illegal spammers to invent,
steal, rent, or borrow phone numbers and addresses made themselves
such pains to legal spammers that they created a market for spammer
shields.  Not to miss profits, ultra-cheap registrars catering to
spammers flogged their spammer shields to the punters as protection
against spam and stalking.  Since then the punters have been taught
to expect privacy shields bundled for free with their cheap domain
registrations.

And that's only where governments haven't decided that only they
should know everything about everyone and made valid WHOIS data
illegal.

My view is that if an outfit has so few other users that it doesn't
hear when things breaks and doesn't care enough to monitor, then it's
not worth my time to be a pest.  By time I notice a problem with a
non-trivial domain, those responsible will already be on the job and
I would only an irritating user or luser.  They will already have been
alerted by their monitors as well as hordes of other lusers.

In other words, when did you last alert strangers about lame
delegations?


Vernon Schryver    vjs at rhyolite.com



More information about the bind-users mailing list