[dns-operations] .biz DNSSEC failure?

Vernon Schryver vjs at rhyolite.com
Sat Jun 22 20:58:45 UTC 2013

> It's something that a signer solution should really check for before
> allowing a zone to be pushed, even if that means some kind of internet
> connectivity to get those DS records.

If a "signer solution" is something done by, for, or in a parent
domain (e.g. the gTLD operator, registry, or registrar),
thanks but no thanks.  Neither ARIN nor Tucows/OpenDS could handle
RFC standard DS RRs last year.  ARIN choked on perfectly legal
blanks from various BIND9 tools to sign PTR RRs.  Tucows/OpenDNS
seemed to just choked on .net and .com DNSSEC, after saying something
about NetworkSolutions having trouble with the blanks.

Never mind that I'm not a fan of those blanks and find them confusing,
because I'm merely human and not part of a "signer solution."

My reading between the lines of recent Network Solutions Linkedin
and the other 5,000 or 50,000 domains kerfuffle is that problem was
in just such "user friendly" (in the very bad old IE sense) machinery.

An authorized authority should be just as free to push, publish, upload,
etc. strange, odd, or just plain bad DNSSEC RRs as any other type.
Authorized authorities should be able to hire nannies to hold their
hands if they want, but hand holding should not be the default, not
even if you exclude the long time usual suspect sources of "innocent"
DNS chaos.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list