michael at rancid.berkeley.edu
Wed May 19 00:31:13 UTC 2010
On 05/18/10 06:31, Chris Thompson wrote:
> On May 18 2010, Edward Lewis wrote:
>> At 16:30 -0400 5/17/10, Dave Knight wrote:
>>> I just sent email to the address in the SOA RNAME for uspto.gov,
>>> pointed to
>>> the list archive for this thread and received a response 3 minutes later
>>> from someone already aware of the thread and the issues.
>> I'm glad you posted this - I tend to forget the RNAME and what it is
>> meant to be used for.
> I tend to try SOA.rname first, if only to avoid fighting my way through
> the whois maze. When it doesn't work, and if I eventually make contact
> with the zone owner, I tell^Wask them to fix it...
I have generally had good luck regarding GOV issues with sending mail to
the SOA RNAME along with a cc to the technical contact for the GOV TLD.
The one complaint I would have regarding the OMB mandate for USG
deployment of DNSSEC would be that the mandate only required agencies to
sign their zones, not to actually do any validation. So you have all of
these agencies putting out DNSSEC dogfood with zero idea of what it
tastes like. Those of us doing validation are the first ones to have to
deal with the consequences. It's not all bad--some agencies (including
a handful of the DoE labs) are trying to do the right thing. Not only
are they doing validation, but they are actively helping diagnose
problems at other GOVs. (Casey Deccio at Sandia Lab is a prime example.)
My point is that the mandate could have been a bit better, with a better
understanding of both the validation and signing components of a DNSSEC
operation. This is not an indictment of DNSSEC, just a critique of
implementation mandates for GOV operators.
More information about the dns-operations