On 2014-02-11 11:51 , Nathan Ward wrote:
On 11/02/2014, at 11:35 am, Andy Linton
wrote: [Validated your DNSSEC]
I’ve been talking about this with one of my customers recently, and there’s a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don’t work' while the other ISP does.
I too have customers like that, who decided "not validating" was safer. So I asked Geoff about bad signing situations. He pointed out that particularly since Google have been validating (for 8.8.8.8) for 6+ months, any bad signing situations either tend not to persist for very long (ie, it's not just broken for you!), or are unimportant (ie, basically no one noticed so it never got fixed). IIRC Geoff said that someone at (I think) University of Cambridge was keeping stats on broken DNSSEC and how long it persisted, but I haven't tracked down the reference. I came away from that discussion with Geoff, and comments from Inspire/Unleash/etc with the impression that just turning on DNSSEC validation is pretty safe these days, and ought to be the default. It's certainly on my "to follow up early this year" list. Ewen