bert.hubert at netherlabs.nl
Mon May 17 20:13:06 UTC 2010
On Mon, May 17, 2010 at 08:26:34PM +0100, Randy Bush wrote:
> > I view this issue as pointing to multiple underlying contributing
> > problems with federal (dot gov/dot mil) domains:
> psg.com:/usr/home/randy> doc -p -w uoregon.edu
> Doc-2.2.3: doc -p -w uoregon.edu
> Doc-2.2.3: Starting test of uoregon.edu. parent is edu.
> Doc-2.2.3: Test date - Mon May 17 19:25:11 GMT 2010
> ERROR: NS list from uoregon.edu. authoritative servers does not
> === match NS list from parent (edu.) servers
> ERRORS found for uoregon.edu. (count: 1)
> Done testing uoregon.edu. Mon May 17 19:25:13 GMT 2010
this is silly - uoregon.edu provides 'more specifics':
uoregon.edu. 172800 IN NS arizona.edu.
uoregon.edu. 172800 IN NS phloem.uoregon.edu.
uoregon.edu. 172800 IN NS ruminant.uoregon.edu.
;; Received 199 bytes from 126.96.36.199#53(f.gtld-servers.net) in 177 ms
uoregon.edu. 86400 IN NS arizona.edu.
uoregon.edu. 86400 IN NS phloem.uoregon.edu.
uoregon.edu. 86400 IN NS ruminant.uoregon.edu.
uoregon.edu. 86400 IN NS dns.cs.uoregon.edu.
uoregon.edu. 86400 IN NS bigdog.lsu.edu.
;; Received 289 bytes from 188.8.131.52#53(arizona.edu) in 166 ms
Which is entirely legal.
Getting back to uspto.gov, while we can't solve that one from here, it is
probably indicative of things to come - people that enable DNSSEC and in
turn get rewarded by people behind validating resolvers being unable to
Until the validating resolver is patched, which was done for the uspto.gov
case. But there are bound to be others.
It is interesting to note that nobody over at uspto.gov appears to know or
care enough to get things moving to fix this. This is a datapoint that the
care level for DNSSEC in production is still set to 'meh'.
More information about the dns-operations