On 26 March 2013 23:07, Andy Smith <andy(a)bitfolk.com> wrote:
[snip]
Since it is possible that there will be domains out there that have
broken DNSSEC records but nobody yet noticed (a lot less likely now
that Google's DNS validates), I don't think it would be acceptable
to just turn on validation with no notice. We're going to give you
at least 30 days of notice.
Is there anything more that you think should be done?
We could put up a test instance of Unbound with validation enabled
and you could switch to using it, to see if anything breaks. Is that
something that any of you think you would bother with?
On to logging.
Should validation failures be logged on production resolvers? On the
plus side, if you are experiencing one then you could ask us to look
in the logs to see why. On the negative side, it means we'll
casually stumble across records of tons of queries that customers
make, which is a privacy concern.
[snip]
How about you do a combo, in three stages (hapening on dates you advise us
of):
1. Test servers go live, with loging (we can use them and see if a
problem appears)
2. Production servers switch to validating
3. Test servers removed
--
Robert Gauld
http://www.robertgauld.co.uk