nanog mailing list archives

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

From: Mark Andrews <marka () isc org>
Date: Mon, 12 Sep 2011 09:25:23 +1000


In message <146102.1315769526 () turing-police cc vt edu>, Valdis.Kletnieks () vt edu
 writes:

(*) Has anybody actually enabled "only accept DNSSEC-signed A records"
on an end user system and left it enabled for more than a day before
giving up in disgust? ;)


No.  But I run with "reject anything that doesn't validate" and
have for several years now and that doesn't suck.  We will never
be in a world where all DNS records validate unless we do DNSng and
that DNSng requires that all answers be signed.

Except as a academic exercise, I would never expect anyone would
configure a validator to require that all answers validate as secure.

DNSSEC gives you "provable secure", "provable insecure" and "bogus".

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases, (continued)
- - - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Michiel Klaver (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Jima (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Ted Cooper (Sep 13)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 14)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Joe Greco (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates lgomes00 (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Mark Andrews (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Jimmy Hess (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 11)
- RE: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Keith Medcalf (Sep 11)
  - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 11)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Robert Bonomi (Sep 12)
    - Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 12)

(Thread continues...)