[dns-operations] DNSSEC misconfiguration
Michael Sinatra
michael at rancid.berkeley.edu
Fri Jul 30 18:44:49 UTC 2010
On 07/30/10 08:31, Carlos Vicente wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>> I do hope that as GOV evaluates new mandates and best practices, they
>> include provisions for eating your own dog food. Requiring .GOVs to run
>> validation on their recursors and validate their own zones would have
>> gone a long way to reducing these sorts of problems. Or, at least it
>> would have spread the pain.
>>
>> michael
>
> I agree.
>
> On a related note, some time ago it was disappointing to hear the
> EDUCAUSE folks suggest in a webinar that .edu's should sign first and
> then "when everybody has signed their zones", enable validation.
Ah, I think I was travelling during that session and couldn't join in.
I would have challenged the notion that people shouldn't validate until
everyone has signed, as I am doing now.
At a MINIMUM, one should have a validating host monitoring one's signed
zones by doing periodic queries and reporting the results.
michael
More information about the dns-operations
mailing list