On 26 March 2013 23:07, Andy Smith <andy@???> wrote:
> [snip]
>
> Since it is possible that there will be domains out there that have
> broken DNSSEC records but nobody yet noticed (a lot less likely now
> that Google's DNS validates), I don't think it would be acceptable
> to just turn on validation with no notice. We're going to give you
> at least 30 days of notice.
>
> Is there anything more that you think should be done?
>
> We could put up a test instance of Unbound with validation enabled
> and you could switch to using it, to see if anything breaks. Is that
> something that any of you think you would bother with?
>
> On to logging.
>
> Should validation failures be logged on production resolvers? On the
> plus side, if you are experiencing one then you could ask us to look
> in the logs to see why. On the negative side, it means we'll
> casually stumble across records of tons of queries that customers
> make, which is a privacy concern.
>
> [snip]
How about you do a combo, in three stages (hapening on dates you advise us
of):
1. Test servers go live, with loging (we can use them and see if a
problem appears)
2. Production servers switch to validating
3. Test servers removed
--
Robert Gauld
http://www.robertgauld.co.uk
