[dns-operations] DNSSEC misconfiguration
Phil Regnauld
regnauld at nsrc.org
Thu Jul 29 21:36:22 UTC 2010
Casey Deccio (casey) writes:
>
> How do we make a stronger impression to zone administrators that
> broken validation == we can't reach you? I'm also interested who has
> validation enabled on resolvers (with some sort of anchor, of course)
> and what the experience has been.
Maybe naming the zone publicly would put sufficient pressure ?
It may not be very popular, but it might make others on this list
realize they have an issue with same zone as well. And they could
in turn contact the admins responsible for said zone.
Do any of the validation server implementations allow one to
override DS entries for a given delegation ? For example if
foo.com is broken, and one knows this, but one still wants to
validate the rest of the DNS tree, some configuration option
to specify that foo.com should NOT be validated even though
.comcontains DS entries for foo.com.
Cheers,
Phil
More information about the dns-operations
mailing list