[dns-operations] Implementation of negative trust anchors?

Casper Gielen C.Gielen+dnsoarc at uvt.nl
Tue Aug 27 16:27:16 UTC 2013

Op 27-08-13 18:02, Paul Wouters schreef:
> Actually, I think most common has been "expired RRSIGs".

In my experience the most common error is a missing DNSKEY.
That usually happens when a domain moves from a provider with
DNSSEC-support to one without it. On my network these errors far
outweigh al the rest. I have to add to that in my region (.NL) there are
few large hosters that support DNSSEC on all their domains. That's very
different from most of the rest of the world

Over the past two months I have been monitoring validation failures.
I've got over a hundred documented cases of a missing DNSKEY and only a
handfull of expired rrsigs.

Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

More information about the dns-operations mailing list