[dns-operations] uspto.gov

bert hubert bert.hubert at netherlabs.nl
Mon May 17 20:13:06 UTC 2010

On Mon, May 17, 2010 at 08:26:34PM +0100, Randy Bush wrote:
> > I view this issue as pointing to multiple underlying contributing 
> > problems with federal (dot gov/dot mil) domains:
> psg.com:/usr/home/randy> doc -p -w uoregon.edu
> Doc-2.2.3: doc -p -w uoregon.edu
> Doc-2.2.3: Starting test of uoregon.edu.   parent is edu.
> Doc-2.2.3: Test date - Mon May 17 19:25:11 GMT 2010
> ERROR: NS list from uoregon.edu. authoritative servers does not
>   === match NS list from parent (edu.) servers
> Summary:
>    ERRORS found for uoregon.edu. (count: 1)
> Done testing uoregon.edu.  Mon May 17 19:25:13 GMT 2010

this is silly - uoregon.edu provides 'more specifics':
uoregon.edu.		172800	IN	NS	arizona.edu.
uoregon.edu.		172800	IN	NS	phloem.uoregon.edu.
uoregon.edu.		172800	IN	NS	ruminant.uoregon.edu.
;; Received 199 bytes from in 177 ms

uoregon.edu.		86400	IN	NS	arizona.edu.
uoregon.edu.		86400	IN	NS	phloem.uoregon.edu.
uoregon.edu.		86400	IN	NS	ruminant.uoregon.edu.

uoregon.edu.		86400	IN	NS	dns.cs.uoregon.edu.
uoregon.edu.		86400	IN	NS	bigdog.lsu.edu.
;; Received 289 bytes from in 166 ms

Which is entirely legal.

Getting back to uspto.gov, while we can't solve that one from here, it is
probably indicative of things to come - people that enable DNSSEC and in
turn get rewarded by people behind validating resolvers being unable to
reach them.

Until the validating resolver is patched, which was done for the uspto.gov
case. But there are bound to be others.

It is interesting to note that nobody over at uspto.gov appears to know or
care enough to get things moving to fix this. This is a datapoint that the
care level for DNSSEC in production is still set to 'meh'.


More information about the dns-operations mailing list