[dns-operations] DNSSEC misconfiguration

Michael Sinatra michael at rancid.berkeley.edu
Fri Jul 30 23:13:54 UTC 2010

On 7/30/10 11:52 AM, Eric Osterweil wrote:
> On Jul 30, 2010, at 11:44 AM, Michael Sinatra wrote:
>> On 07/30/10 08:31, Carlos Vicente wrote:
>>> Hash: SHA1
>>>> I do hope that as GOV evaluates new mandates and best practices, they
>>>> include provisions for eating your own dog food.  Requiring .GOVs to run
>>>> validation on their recursors and validate their own zones would have
>>>> gone a long way to reducing these sorts of problems.  Or, at least it
>>>> would have spread the pain.
>>>> michael
>>> I agree.
>>> On a related note, some time ago it was disappointing to hear the
>>> EDUCAUSE folks suggest in a webinar that .edu's should sign first and
>>> then "when everybody has signed their zones", enable validation.
>> Ah, I think I was travelling during that session and couldn't join in. I would have challenged the notion that people shouldn't validate until everyone has signed, as I am doing now.
>> At a MINIMUM, one should have a validating host monitoring one's signed zones by doing periodic queries and reporting the results.
> Perhaps adding ones zone(s) to SecSpider accomplishes this? ;)

I agree--this is exactly the sort of thing that SecSpider is good for.

Is there any kind of notification process that SecSpider has?  For 
example, if I want to know if the information on, say 
<http://secspider.cs.ucla.edu/berkeley-edu--zone.html> changes in any 
meaningful way, I could just run a script to periodically 
scrape-and-diff that web page and email me certain differences.  But I 
was wondering if SecSpider has notification features built-in, that 
would email me if something changes.

I am also thinking of a smokeping or nagios process that differentially 
polls DNSSEC-enabled and DNSSEC-disabled resolvers and pages a NOC if 
one or both begin to fail.


More information about the dns-operations mailing list