bortzmeyer at nic.fr
Tue May 18 07:24:08 UTC 2010
On Mon, May 17, 2010 at 02:00:17PM -0700,
Casey Deccio <casey at deccio.net> wrote
a message of 59 lines which said:
> I don't believe it's a lack of interest, just a lack of experience
> and resources. It really is a non-trivial extension to plain DNS.
I strongly disagree. The problem with uspto.gov is not a DNSSEC one
(the signatures are valid, the chain trust is OK) but a *network*
one. A broken middlebox prevents large responses to come in.
% dig +multi +bufsize=4096 @dns2.uspto.gov DNSKEY uspto.gov
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;uspto.gov. IN DNSKEY
;; ANSWER SECTION:
uspto.gov. 7200 IN DNSKEY 256 3 7 (
% dig +multi +dnssec @dns2.uspto.gov DNSKEY uspto.gov
;; connection timed out; no servers could be reached
Their network setup has been broken for ten years (when EDNS was introduced)
and DNSSEC is just a lame excuse.
More information about the dns-operations