[dns-operations] DNSSEC misconfiguration

Eric Osterweil eoster at cs.ucla.edu
Fri Jul 30 18:52:19 UTC 2010


On Jul 30, 2010, at 11:44 AM, Michael Sinatra wrote:

> On 07/30/10 08:31, Carlos Vicente wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> 
>>> I do hope that as GOV evaluates new mandates and best practices, they
>>> include provisions for eating your own dog food.  Requiring .GOVs to run
>>> validation on their recursors and validate their own zones would have
>>> gone a long way to reducing these sorts of problems.  Or, at least it
>>> would have spread the pain.
>>> 
>>> michael
>> 
>> I agree.
>> 
>> On a related note, some time ago it was disappointing to hear the
>> EDUCAUSE folks suggest in a webinar that .edu's should sign first and
>> then "when everybody has signed their zones", enable validation.
> 
> Ah, I think I was travelling during that session and couldn't join in. I would have challenged the notion that people shouldn't validate until everyone has signed, as I am doing now.
> 
> At a MINIMUM, one should have a validating host monitoring one's signed zones by doing periodic queries and reporting the results.

Perhaps adding ones zone(s) to SecSpider accomplishes this? ;)

Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100730/27dfa66a/attachment.sig>


More information about the dns-operations mailing list