[dns-operations] DNSSEC misconfiguration

[Shumon Huque]

On Thu, Jul 29, 2010 at 03:08:00PM -0700, Casey Deccio wrote:
> On Thu, Jul 29, 2010 at 2:42 PM, Michael Sinatra
> <michael at rancid.berkeley.edu> wrote:
> > On 07/29/10 14:22, Casey Deccio wrote:
> >
> >> How do we make a stronger impression to zone administrators that
> >> broken validation == we can't reach you?
> >
> > I agree that naming the zone publicly is probably a good idea (either here
> > or in dnssec-deployment@), so that those of us who do validate can check to
> > see if its a problem for us and potentially add to the chorus (or maybe
> > quartet) of validators who are complaining.  Maybe they'll notice the
> > increased numbers of distinct complaints.
> >
> 
> I suppose that might be effective, depending on how widespread the use
> of the domain is.  The more recent examples are (of course) .GOVs, and
> while very pertinent to other .GOV agencies, probably not as used by
> non-GOV folks, so general complaints may not be justified. [...]

Actually various sites have been named on other lists already,
with no particular impact as far as I can tell.

I think the problem might be something like: oops, that DNSSEC
thing broke, but it's only affecting a couple of hundred geeks
and UC Berkeley, and it's working for the vast majority of the
Internet, so it's not an emergency.

Trying to get a sense of the population of users that use 
production validating resolvers and communicating this might
be one way of sending a message that your domains are unresolvable
for a non-trivial population (assuming it is non-trivial which
it may not be).

I'm not talking about people on this list who set up these things 
for themselves or small groups. But actual non-trivial production 
deployments like campus/enterprise-wide resolvers at organizations, 
ISPs, etc. For the US R&E community there are only a handful of
such organizations (ie. you can literally count them on one hand). 
Who else is out there?

-- 
Shumon Huque
University of Pennsylvania.