Barry Margolin barmar at alum.mit.edu
Thu May 10 14:33:58 UTC 2012

In article <mailman.748.1336659466.63724.bind-users at lists.isc.org>,
 Tony Finch <dot at dotat.at> wrote:

> Barry Margolin <barmar at alum.mit.edu> wrote:
> >
> > [Validation is] only untroublesome until someone screws things up on
> > their auth server.  When one of your users can't access something.gov,
> > they'll complain to YOU, even though it's mostly out of your hands.
> >
> > This is true for other problems on auth servers as well, of course.  But
> > DNSSEC is new enough that there tend to be more failures of this kind,
> > even by organizations that until now have seemed to know what they're
> > doing.
> Some of the early DNSSEC deployments (especially in .gov) did not use good
> tooling. That's much less of a problem now. See for instance the big
> DNSSEC deployments in Sweden, Czech, Brazil.
> Even third party DNSSEC screwups have not caused us much trouble.

Every week or two someone complains in the Comcast Help Forum about 
being unable to resolve some .gov address, and the usual cause is that 
the domain operator messed up their DNSSEC.

But I agree that it's not as frequent as it was 6 months ago.  It also 
helps that Comcast can now work around it by configuring exceptions to 
DNSSEC checking.

Barry Margolin
Arlington, MA

More information about the bind-users mailing list