[dns-operations] uspto.gov

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue May 18 07:24:08 UTC 2010


On Mon, May 17, 2010 at 02:00:17PM -0700,
 Casey Deccio <casey at deccio.net> wrote 
 a message of 59 lines which said:

> I don't believe it's a lack of interest, just a lack of experience
> and resources.  It really is a non-trivial extension to plain DNS.

I strongly disagree. The problem with uspto.gov is not a DNSSEC one
(the signatures are valid, the chain trust is OK) but a *network*
one. A broken middlebox prevents large responses to come in.

% dig +multi +bufsize=4096 @dns2.uspto.gov DNSKEY uspto.gov 
...
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;uspto.gov.             IN DNSKEY

;; ANSWER SECTION:
uspto.gov.              7200 IN DNSKEY 256 3 7 (
...
[OK ]

% dig +multi +dnssec @dns2.uspto.gov DNSKEY uspto.gov  
...
;; connection timed out; no servers could be reached

Their network setup has been broken for ten years (when EDNS was introduced)
and DNSSEC is just a lame excuse.



More information about the dns-operations mailing list