[dns-operations] problems resolving army.mil and us.army.mil?

Christopher Morrow morrowc.lists at gmail.com
Wed Aug 21 18:09:17 UTC 2013

On Wed, Aug 21, 2013 at 1:19 PM, Rose, Scott W. <scott.rose at nist.gov> wrote:
> >From appearances, the error is not DNSSEC related (army.mil is unsigned),
> but that no one can reach the army.mil servers.  I see both SERVFAIL and
> "no servers could be reached" errors.

bummer, I thought i had seen dnssec problems :(
I wasn't looking as closely as I should have, clearly (see peanut
gallery portion of comment)

> As for requiring validation, the next version of the security controls for
> all Federal USG systems will require DNSSEC validation in the agency.

oh, that's good(er).

> This will likely be at the recursive resolver level, not the end system.
> http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
> That was published in 4/2013, so it won't be "in effect" until next April,
> but some agencies are doing validation now.  We already hear of issues and
> some successes.

hurrah! it seems that like other internet-things, making more people
scream gets you the lube required to operationalize things better :)
(or I hope that's what the lube is for)


More information about the dns-operations mailing list