[dns-operations] DNSSEC misconfiguration

Casey Deccio casey at deccio.net
Thu Jul 29 22:08:00 UTC 2010

On Thu, Jul 29, 2010 at 2:42 PM, Michael Sinatra
<michael at rancid.berkeley.edu> wrote:
> On 07/29/10 14:22, Casey Deccio wrote:
>> How do we make a stronger impression to zone administrators that
>> broken validation == we can't reach you?
> I agree that naming the zone publicly is probably a good idea (either here
> or in dnssec-deployment@), so that those of us who do validate can check to
> see if its a problem for us and potentially add to the chorus (or maybe
> quartet) of validators who are complaining.  Maybe they'll notice the
> increased numbers of distinct complaints.

I suppose that might be effective, depending on how widespread the use
of the domain is.  The more recent examples are (of course) .GOVs, and
while very pertinent to other .GOV agencies, probably not as used by
non-GOV folks, so general complaints may not be justified.  However,
there are some general .GOV zones that have been broken for quite a
while (and have already been brought up in discussion on public
lists).  For example, issues with www.fedstats.gov (and other
census-related domains) have existed on the order of months.

> I do hope that as GOV evaluates new mandates and best practices, they
> include provisions for eating your own dog food.  Requiring .GOVs to run
> validation on their recursors and validate their own zones would have gone a
> long way to reducing these sorts of problems.  Or, at least it would have
> spread the pain.

Yes, some of it has been painful.  But I should mention (after my
ranting) that not all the experience has been bad.  A number have
individuals have been very quick to respond to my requests and solve
issues we've had--sometimes by promptly removing DS RRs until the
problem is fixed more permanently.  Not to mention all the domains
which haven't had any noticeable problems (yet).


More information about the dns-operations mailing list