On 11/02/14 11:51, Nathan Ward wrote:
On 11/02/2014, at 11:35 am, Andy Linton
mailto:asjl(a)lpnz.org> wrote:
Hi Nathan,
I’ve been talking about this with one of my customers recently, and there’s a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don’t work' while the other ISP does.
Is there public data available re. this? Does it likely vary much for NZ? I think unbound can be configured to only log when validation fails rather than actually acting on it in a negative way, so I imagine it’s not hard to figure out.. thinking out loud here we’d probably want some full query logging to get some useful stats - i.e. this zone that breaks is looked at by x% of customers, and it is y% of total unique zones queried, etc. Thinking out loud here.
Based on a chat here and there with people running validating resolvers, they haven't had major problems because the deployment base is not that big. However, Comcast had issues at some point when, by different reasons, some .gov domain names that were signed became unavailable due to failed validation. The software they use implements a feature called "negative trust anchor", which defines a "white list" of domains that you don't want to be validated. That can be used to survive an event when a major domain fails validation and you want your users to still see it. My understanding is Unbound also implements this, but I haven't tested it yet.
Good chance that all the problems around this have disappeared these days, but, it’d be interesting to find out.
Cheers,
(note, I haven’t Googled yet :)
— Nathan Ward
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Sebastian Castro Technical Research Manager .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535