a question(s) from the peanut gallery... (I assumed some things...) if the operations work to maintain dnssec stuff for zones is not productionized and automated and tested failures like this army.mil (and most previous other zone problems elsewhere related to dnssec, most likely) issue happen...
what process gets us all to better, more stable, more reliable dnssec deployment on a per-zone basis? is the problem that army.mil can be broken for X hours/days with respect to dnssec because 'no one notices' and thus the failure has low/zero cost to the domain owner? Is the process/ops-work so hard that it can't be automated/productionized? If the 'no one notices' answer is 'yes', how do more people get to the place where they notice? by enabling validation in resolvers? could US Gov't agencies all enable this 'now' and help to find these problems more quickly? could OMB be brought to bear on this sort of thing in a reasoned way? -chris On Wed, Aug 21, 2013 at 10:18 AM, Fr34k <[email protected]> wrote: > http://dnssec-debugger.verisignlabs.com/army.mil also shows several issues. > > > > > ----- Original Message ----- >> From: "Rose, Scott W." <[email protected]> >> To: Mike A <[email protected]>; DNS Operations >> <[email protected]> >> Cc: >> Sent: Wednesday, August 21, 2013 10:06 AM >> Subject: Re: [dns-operations] problems resolving army.mil and us.army.mil? >> >> Me too. From NIST and DNSViz: >> http://dnsviz.net/d/army.mil/dnssec/ >> >> Can't reach any of the servers listed. >> >> Scott >> >> >> =================================== >> Scott Rose >> NIST >> [email protected] >> +1 301-975-8439 >> Google Voice: +1 571-249-3671 >> http://www.dnsops.gov/ >> https://www.had-pilot.com/ >> =================================== >> >> >> >> >> >> >> -----Original Message----- >> From: Mike A <[email protected]> >> Date: Wednesday, August 21, 2013 10:02 AM >> To: DNS Operations <[email protected]> >> Subject: [dns-operations] problems resolving army.mil and us.army.mil? >> >>> I'm seeing timeouts and SERVFAILs trying to resolve army.mil and >>> us.army.mil from multiple locations on disjoint nets. Anyone else? >>> >>> -- >>> Mike Andrews, W5EGO >>> [email protected] >>> Tired old sysadmin >>> _______________________________________________ >>> dns-operations mailing list >>> [email protected] >>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations >>> dns-jobs mailing list >>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs >> >> _______________________________________________ >> dns-operations mailing list >> [email protected] >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations >> dns-jobs mailing list >> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs >> > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
