18 Nov
2016
18 Nov
'16
6:11 p.m.
* Mark Andrews:
The DNSSEC testing is also insufficient. 9-11commission.gov shows green for example but if you use DNS COOKIES (which BIND 9.10.4 and BIND 9.11.0 do) then servers barf and return BADVERS and validation fails. QWEST you have been informed of this already.
Why the hell should validating resolver have to work around the crap you guys are using?
The protocol doesn't have proper version negotation, and again and again, implementers have tried to force backwards-incompatible implementations on the Internet at large.