[dns-operations] uspto.gov

Joe St Sauver joe at oregon.uoregon.edu
Mon May 17 18:27:49 UTC 2010 

Edward mmentioned:

#OTOH, getting the attention of US gov't IT departments can be 
#difficult when trying to report "broken things."  It might make sense 
#to try other members of the US gov't whose email addresses you 
#already know.  (I.e., if there's someone who can "open a trouble 
#ticket" with USPTO.gov, please help.)

I view this issue as pointing to multiple underlying contributing 
problems with federal (dot gov/dot mil) domains:

1) dot gov/dot mil domains lack usable domain whois (e.g., there's
   no domain whois point of contact information for dot gov/dot mil 
   domains)

2) because there's no dot gov/dot mil zone file access program,
   there's no ability to systematically test all 2nd level dot gov/
   dot mil domains for DNSSEC issues (or for IPv6 adoption, or
   [fill in the blank here])

3) dot gov/dot mil dns and web hosting is often at least partially
   outsourced (whether that's a matter of using a third party DNS
   provider, or a content distribution network, etc.); that adds to
   the complexity of finding the right person to fix issues when
   issues arise

The net effect of those three factors is that some dot gov or dot
mil domains are going to end up broken as a result of expiring keys
or botched rollover attempts or whatever, and:

a) it may be hard or impossible to effectively report this brokenness

b) at least in some cases, brokenness may exist for extended periods of
   time without even being identified and diagnosed

c) even if you do find the "right" person in dot gov/dot mil land,
   they may need to iterate to find the "right" person at their 
   third party provider or CDN to fix an issue everyone agrees exists.

I think someone, either in the community or in DC, needs to begin
systematically monitoring dot gov/dot mil for DNS brokenness of all
sorts. 

The first step toward that end is probably compiling a list of dot 
gov/dot mil hosts from the web, from passive DNS, etc., and then
periodically/systematically testing ALL those 2nd level domains and 
FQDNs to see which of them fail DNSSEC validation, for example. 

Then a comprehensive report can be made, rather than just handling 
these on a onesie-twosie basis as they happen to get noticed. I think
that a comprehensive weekly/monthly/quarterly report is more likely to 
get traction and attention than one-off emails to stale personal email
addresses or unmonitored role accounts.

Regards,

Joe St Sauver

Disclaimer: all opinions my own

More information about the dns-operations mailing list