On 26 March 2013 23:07, Andy Smith <span dir="ltr">&lt;<a href="mailto:andy@bitfolk.com" target="_blank">andy@bitfolk.com</a>&gt;</span> wrote:<br><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

[snip]<br>
<br>
Since it is possible that there will be domains out there that have<br>
broken DNSSEC records but nobody yet noticed (a lot less likely now<br>
that Google&#39;s DNS validates), I don&#39;t think it would be acceptable<br>
to just turn on validation with no notice. We&#39;re going to give you<br>
at least 30 days of notice.<br>
<br>
Is there anything more that you think should be done?<br>
<br>
We could put up a test instance of Unbound with validation enabled<br>
and you could switch to using it, to see if anything breaks. Is that<br>
something that any of you think you would bother with?<br>
<br>
On to logging.<br>
<br>
Should validation failures be logged on production resolvers? On the<br>
plus side, if you are experiencing one then you could ask us to look<br>
in the logs to see why. On the negative side, it means we&#39;ll<br>
casually stumble across records of tons of queries that customers<br>
make, which is a privacy concern.<br><br>
[snip]</blockquote></div><div><br></div>How about you do a combo, in three stages (hapening on dates you advise us of):<div><ol><li>Test servers go live, with loging (we can use them and see if a problem appears)</li><li>

Production servers switch to validating</li><li>Test servers removed</li></ol></div><br clear="all"><div><br></div>-- <br>Robert Gauld<br><a href="http://www.robertgauld.co.uk" target="_blank">http://www.robertgauld.co.uk</a>
</div>