[Dnssec-deployment] DNSSEC validation errors in .gov
Eric Osterweil
eoster at cs.ucla.edu
Tue May 18 15:22:35 EDT 2010
On May 18, 2010, at 12:34 AM, Stephane Bortzmeyer wrote:
> On Fri, May 07, 2010 at 02:59:52PM -0400,
> Paul Wouters <paul at xelerance.com> wrote
> a message of 20 lines which said:
>
>> I've noticed in the last couple of weeks that we are regularly
>> seeing DNSSEC validation failures in various .gov zones. These range
>> from DS records pointing to missing DNSKEY records to RRSIG crypto
>> errors.
>
> And broken middleboxes, as we currently see for uspto.gov, broken for
> a few days.
>
Hey Stephane,
I just wanted to clarify what do you mean here? The uspto.gov zone is having serious availability (pmtu) problems, but it's been ongoing for more than just a few days. I've been watching it at:
http://secspider.cs.ucla.edu/uspto-gov--zone.html
and for a while its availability dispersion has been quite poor. However, wasn't the OP about validating keys? I think this zone's keys do validate (at least, much of the time). SecSpider has seen various .gov sites flit in and out of verifiability, but they are not always unverifiable.
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20100518/b9d7da9b/attachment.bin
More information about the Dnssec-deployment
mailing list