[dns-operations] .PL DNSSEC broken again

bert hubert bert.hubert at powerdns.com
Mon Jun 17 13:09:15 UTC 2019

On Mon, Jun 17, 2019 at 04:49:34AM -0400, Viktor Dukhovni wrote:
> > This is not good for DNSSEC > validation adoption. I hope .pl can
> > look into this urgently.
> I also don't think it is productive to hold DNSSEC to a higher
> expectation of uptime that other technologies whose occasional
> outages we seem to accept without a similar fuss.

I typed this in because one of our customers had enabled validation this
morning & was ready to turn it off again because they immediately ran into
this problem.

The problem is that from an operator point of view, DNSSEC is optional. They
can just turn it off. This means they _do_ hold it to a higher standard
because if it causes problems, they can do without it.

> [ Large parts of the Google cloud failed for multiple hours quite
>   recently.  I don't recall much consternation about cloud-service
>   adoption. ]

We have very little choice there.

> All kinds of outages happen, monitoring and a 24-hour NOC are key,
> from as many vantage points as practical if you're a TLD zone.

We are in full agreement here - and that is why I urged the TLD operator to
look into this urgently. 

We run monitoring for a number of our customers and it is surprising  how
quickly DNS monitoring from multiple vantage points uncovers network issues,
including for example route leaks and hijacks.


More information about the dns-operations mailing list