[dns-operations] DNSSEC misconfiguration

Rose, Scott W. scott.rose at nist.gov
Fri Jul 30 11:54:14 UTC 2010

On Jul 29, 2010, at 5:42 PM, Michael Sinatra wrote:

> On 07/29/10 14:22, Casey Deccio wrote:
>> How do we make a stronger impression to zone administrators that
>> broken validation == we can't reach you?
> I agree that naming the zone publicly is probably a good idea (either 
> here or in dnssec-deployment@), so that those of us who do validate can 
> check to see if its a problem for us and potentially add to the chorus 
> (or maybe quartet) of validators who are complaining.  Maybe they'll 
> notice the increased numbers of distinct complaints.
A lot have (I have a feeling Casey and I are bugging the same people).   When I can reach the right people, often the cause is a rush to meet the mandate so they sign a zone and push it out to servers that don't do DNSSEC, so they just wait for their vendors to get an update to them (bad idea).

.gov has more problems because it's mandatory, so folks who wouldn't normally do DNSSEC are trying to do it, and having problems.  We knew this would happen (ok, maybe not this bad...) so we decided to push for signing first, validation second.  Unfortunately that means zones have problems that no one (outside of DNSSEC fans) catches for a while, but now that the root is signed, validation is becoming more common.

>> I'm also interested who has
>> validation enabled on resolvers (with some sort of anchor, of course)
>> and what the experience has been.
> We have it enabled using ISC DLV.  It was great until the wave of .GOV 
> "sign it and forget it" mandates.  Then it got frustrating.
> I do hope that as GOV evaluates new mandates and best practices, they 
> include provisions for eating your own dog food.  Requiring .GOVs to run 
> validation on their recursors and validate their own zones would have 
> gone a long way to reducing these sorts of problems.  Or, at least it 
> would have spread the pain.
We have best practices and guidance docs that (apparently) no one reads now, so more won't help.  I have heard that someone with more enforcement authority will be checking for compliance within .gov and validation will be pushed down in future FISMA revisions (making it mandatory as well).  

Since the .gov zone is not shared (even within the USG), it's hard to know the full extend of the problems, but I see ~40 or so zones a day (most are the same ones day-to-day).  I see a lot of other problems like lame delegations and strange implementation too, but ignoring those and focusing on the current problems.


> michael
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Scott Rose
scottr at nist.gov
+1 301-975-8439
Google Voice: +1 571-249-3671

More information about the dns-operations mailing list