[dns-operations] DNSSEC misconfiguration
shuque at isc.upenn.edu
Fri Jul 30 04:17:16 UTC 2010
On Thu, Jul 29, 2010 at 03:08:00PM -0700, Casey Deccio wrote:
> On Thu, Jul 29, 2010 at 2:42 PM, Michael Sinatra
> <michael at rancid.berkeley.edu> wrote:
> > On 07/29/10 14:22, Casey Deccio wrote:
> >> How do we make a stronger impression to zone administrators that
> >> broken validation == we can't reach you?
> > I agree that naming the zone publicly is probably a good idea (either here
> > or in dnssec-deployment@), so that those of us who do validate can check to
> > see if its a problem for us and potentially add to the chorus (or maybe
> > quartet) of validators who are complaining. Maybe they'll notice the
> > increased numbers of distinct complaints.
> I suppose that might be effective, depending on how widespread the use
> of the domain is. The more recent examples are (of course) .GOVs, and
> while very pertinent to other .GOV agencies, probably not as used by
> non-GOV folks, so general complaints may not be justified. [...]
Actually various sites have been named on other lists already,
with no particular impact as far as I can tell.
I think the problem might be something like: oops, that DNSSEC
thing broke, but it's only affecting a couple of hundred geeks
and UC Berkeley, and it's working for the vast majority of the
Internet, so it's not an emergency.
Trying to get a sense of the population of users that use
production validating resolvers and communicating this might
be one way of sending a message that your domains are unresolvable
for a non-trivial population (assuming it is non-trivial which
it may not be).
I'm not talking about people on this list who set up these things
for themselves or small groups. But actual non-trivial production
deployments like campus/enterprise-wide resolvers at organizations,
ISPs, etc. For the US R&E community there are only a handful of
such organizations (ie. you can literally count them on one hand).
Who else is out there?
University of Pennsylvania.
More information about the dns-operations