[dns-operations] DNSSEC misconfiguration

Phil Regnauld regnauld at nsrc.org
Thu Jul 29 21:36:22 UTC 2010

Casey Deccio (casey) writes:
> How do we make a stronger impression to zone administrators that
> broken validation == we can't reach you?  I'm also interested who has
> validation enabled on resolvers (with some sort of anchor, of course)
> and what the experience has been.

	Maybe naming the zone publicly would put sufficient pressure ?
	It may not be very popular, but it might make others on this list
	realize they have an issue with same zone as well.  And they could
	in turn contact the admins responsible for said zone.

	Do any of the validation server implementations allow one to
	override DS entries for a given delegation ?  For example if
	foo.com is broken, and one knows this, but one still wants to
	validate the rest of the DNS tree, some configuration option
	to specify that foo.com should NOT be validated even though
	.comcontains DS entries for foo.com.


More information about the dns-operations mailing list