[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Microsoft deems all DigiNotar certificates untrustworthy, releases updates
- Subject: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
- From: marka at isc.org (Mark Andrews)
- Date: Mon, 12 Sep 2011 09:25:23 +1000
- In-reply-to: Your message of "Sun, 11 Sep 2011 15:32:06 -0400." <[email protected]>
- References: <[email protected]> <[email protected]> <CAAAwwbUqiRnJws_hi=5at4uN-cn+qq7PqsYSeWO_OizQkrVyrA@mail.gmail.com> <CABSP1Ofnjj27TsA=U4zs7-tpU67pbysSVFygD=WYtJwyTXzDWw@mail.gmail.com> <[email protected]> <[email protected]>
In message <146102.1315769526 at turing-police.cc.vt.edu>, Valdis.Kletnieks at vt.edu
writes:
> (*) Has anybody actually enabled "only accept DNSSEC-signed A records"
> on an end user system and left it enabled for more than a day before
> giving up in disgust? ;)
No. But I run with "reject anything that doesn't validate" and
have for several years now and that doesn't suck. We will never
be in a world where all DNS records validate unless we do DNSng and
that DNSng requires that all answers be signed.
Except as a academic exercise, I would never expect anyone would
configure a validator to require that all answers validate as secure.
DNSSEC gives you "provable secure", "provable insecure" and "bogus".
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org