[dns-operations] DNSSEC misconfiguration
Edward Lewis
Ed.Lewis at neustar.biz
Fri Jul 30 06:18:39 UTC 2010
At 14:22 -0700 7/29/10, Casey Deccio wrote:
>Since we enabled DNSSEC validation on our resolvers early in the year,
>I've been carefully monitoring for validation problems. Since
>deployment is still fairly fresh, I anticipate signed zones having
>issues, and I've tried to notify admins as I've seen issues arise, so
>they can be resolved.
I find that the use of "discreet reporting" to be most appropriate -
and to be a little sarcastic "refreshing."
>Finding contact info is one concern that has been brought up on this list.
And when that happens, I think "going public" is justified.
>However, a bigger concern is with what
>seems to be misconfiguration complacence--either with slow response to
>problem resolution or (multiple) repeat offenders.
...
>How do we make a stronger impression to zone administrators that
>broken validation == we can't reach you? I'm also interested who has
>validation enabled on resolvers (with some sort of anchor, of course)
>and what the experience has been.
This is an unforeseen situation. CW (Conventional Wisdom) has been
that at the first sign of trouble, an admin would ditch DNSSEC and
forget it. Anecdotally now we here, admins fail to see the
consequence. Hmmm.
Perhaps we need to define a trust anchor that a recursive operator
can install that overrides DNSSEC for zones that are chronically
broken. This is to satisfy the local policy rules doctrine,
protecting the recursive server from "false positive reports of
errors."
But clearly an education campaign is needed to inform admins who have
adopted DNSSEC on mandate (and not on desire) that failing to
maintain DNSSEC is bad for them. I imagine this is mostly a GOV
problem today - with GOV being the only TLD to (indirectly) mandate
DNSSEC, refusing to run a WhoIs, and being otherwise hard to contact
- in general making it hard to report to the admins that there are
resolution failures.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
Spouses, like Internet protocols, lack necessary troubleshooting tools. Sigh.
More information about the dns-operations
mailing list