[dns-operations] DNSSEC misconfiguration
michael at rancid.berkeley.edu
Thu Jul 29 21:42:41 UTC 2010
On 07/29/10 14:22, Casey Deccio wrote:
> How do we make a stronger impression to zone administrators that
> broken validation == we can't reach you?
I agree that naming the zone publicly is probably a good idea (either
here or in dnssec-deployment@), so that those of us who do validate can
check to see if its a problem for us and potentially add to the chorus
(or maybe quartet) of validators who are complaining. Maybe they'll
notice the increased numbers of distinct complaints.
> I'm also interested who has
> validation enabled on resolvers (with some sort of anchor, of course)
> and what the experience has been.
We have it enabled using ISC DLV. It was great until the wave of .GOV
"sign it and forget it" mandates. Then it got frustrating.
I do hope that as GOV evaluates new mandates and best practices, they
include provisions for eating your own dog food. Requiring .GOVs to run
validation on their recursors and validate their own zones would have
gone a long way to reducing these sorts of problems. Or, at least it
would have spread the pain.
More information about the dns-operations