[dns-operations] DNSSEC misconfiguration

Edward Lewis Ed.Lewis at neustar.biz
Fri Jul 30 06:18:39 UTC 2010

At 14:22 -0700 7/29/10, Casey Deccio wrote:
>Since we enabled DNSSEC validation on our resolvers early in the year,
>I've been carefully monitoring for validation problems.  Since
>deployment is still fairly fresh, I anticipate signed zones having
>issues, and I've tried to notify admins as I've seen issues arise, so
>they can be resolved.

I find that the use of "discreet reporting" to be most appropriate - 
and to be a little sarcastic "refreshing."

>Finding contact info is one concern that has been brought up on this list.

And when that happens, I think "going public" is justified.

>However, a bigger concern is with what
>seems to be misconfiguration complacence--either with slow response to
>problem resolution or (multiple) repeat offenders.
>How do we make a stronger impression to zone administrators that
>broken validation == we can't reach you?  I'm also interested who has
>validation enabled on resolvers (with some sort of anchor, of course)
>and what the experience has been.

This is an unforeseen situation.  CW (Conventional Wisdom) has been 
that at the first sign of trouble, an admin would ditch DNSSEC and 
forget it.  Anecdotally now we here, admins fail to see the 
consequence.  Hmmm.

Perhaps we need to define a trust anchor that a recursive operator 
can install that overrides DNSSEC for zones that are chronically 
broken.  This is to satisfy the local policy rules doctrine, 
protecting the recursive server from "false positive reports of 

But clearly an education campaign is needed to inform admins who have 
adopted DNSSEC on mandate (and not on desire) that failing to 
maintain DNSSEC is bad for them.  I imagine this is mostly a GOV 
problem today - with GOV being the only TLD to (indirectly) mandate 
DNSSEC, refusing to run a WhoIs, and being otherwise hard to contact 
- in general making it hard to report to the admins that there are 
resolution failures.

Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Spouses, like Internet protocols, lack necessary troubleshooting tools. Sigh.

More information about the dns-operations mailing list