[dns-operations] DNSSEC misconfiguration

Michael Sinatra michael at rancid.berkeley.edu
Thu Jul 29 21:42:41 UTC 2010

On 07/29/10 14:22, Casey Deccio wrote:

> How do we make a stronger impression to zone administrators that
> broken validation == we can't reach you?

I agree that naming the zone publicly is probably a good idea (either 
here or in dnssec-deployment@), so that those of us who do validate can 
check to see if its a problem for us and potentially add to the chorus 
(or maybe quartet) of validators who are complaining.  Maybe they'll 
notice the increased numbers of distinct complaints.

> I'm also interested who has
> validation enabled on resolvers (with some sort of anchor, of course)
> and what the experience has been.

We have it enabled using ISC DLV.  It was great until the wave of .GOV 
"sign it and forget it" mandates.  Then it got frustrating.

I do hope that as GOV evaluates new mandates and best practices, they 
include provisions for eating your own dog food.  Requiring .GOVs to run 
validation on their recursors and validate their own zones would have 
gone a long way to reducing these sorts of problems.  Or, at least it 
would have spread the pain.


More information about the dns-operations mailing list