[bind10-dev] bindctl not checking server certificate chain by default
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Fri Oct 19 18:31:32 UTC 2012
At Fri, 19 Oct 2012 16:26:19 +0200,
Michal 'vorner' Vaner <michal.vaner at nic.cz> wrote:
> On Fri, Oct 19, 2012 at 04:06:51PM +0200, Jelte Jansen wrote:
> > - thirdly, we could default to not running at all until the
> > administrator points to a valid certificate.
>
> I think this is bad. We need people to try bind10 out. If I get annoyed too much
> too early in the beginning, I throw the software out and try an alternative. We
> want the thing to at least talk to the user, not bother him by some
> certificates.
I agree on this point.
> I think we could start asking for certificates once you connect
> over network, but if you try to connect to localhost, I don't think it is
> needed (the man-in-the middle attack is not that probable).
I think something like this is a reasonable compromise.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind10-dev
mailing list