[dns-operations] DNSSEC misconfiguration

[Casey Deccio]

Since we enabled DNSSEC validation on our resolvers early in the year,
I've been carefully monitoring for validation problems.  Since
deployment is still fairly fresh, I anticipate signed zones having
issues, and I've tried to notify admins as I've seen issues arise, so
they can be resolved.  Finding contact info is one concern that has
been brought up on this list.  However, a bigger concern is with what
seems to be misconfiguration complacence--either with slow response to
problem resolution or (multiple) repeat offenders.  I realize that
learning DNSSEC is not a trivial task, but sometimes it's a simply
matter of the admins removing DS RRs until the situation stabilizes.
Just yesterday I received response that they were working on the
issue, but that it wouldn't be fixed until Sunday.  I strongly
suggested that the DS RRs be removed until then.  As of yet, they
still exist and validation is still failing.  There are other zones
that have been broken literally for months.  I imagine that for a
business there might be stronger incentive to get things fixed in a
timely manner.  But sometimes customers of the domain may have no
alternative.  Those who are exclusively using validating resolvers are
out of luck.

How do we make a stronger impression to zone administrators that
broken validation == we can't reach you?  I'm also interested who has
validation enabled on resolvers (with some sort of anchor, of course)
and what the experience has been.

Regards,
Casey