[Dnssec-deployment] DNSSEC validation errors in .gov

[Paul Wouters]

I've noticed in the last couple of weeks that we are regularly seeing
DNSSEC validation failures in various .gov zones. These range from DS
records pointing to missing DNSKEY records to RRSIG crypto errors.

Is there any central authority within .gov that is tracking any sites,
helps them when errors are encountered? Is there a central DNS admin
for .gov (eg someone at dotgov.gov or NIST)

I am a bit worried about seeing these go seemingly unnoticed. I guess
it means most .gov sites are deploying DNSSEC on their auth servers,
but not on their resolvers. It also seems those who are signing are
not actively monitoring their own sites - either as part of their
signer solution or via external monitoring.

Reporting it to the site owners is also not always easy for us, since
our infrastructure uses DNSSEC and often the contact is within the
zone that has gone dark from a DNSSEC point of view.

Paul