[Dnssec-deployment] Expired RRSIGs for .be
Dan Mahoney
dmahoney at isc.org
Sat Oct 9 12:42:37 EDT 2010
On Sat, 9 Oct 2010, Stephane Bortzmeyer wrote:
> On Fri, Oct 08, 2010 at 05:51:51PM +0200,
> Patrik Fältström <paf at cisco.com> wrote
> a message of 12 lines which said:
>
> > how have you notified the tech contact? Given DNS does not work for
> > that domain... ;-)
>
> Most (all?) of the signature expiration warning tools that have been
> posted or mentioned here are able to detect that the signature is
> _about to expire_ So you can send email saying "Your signatures will
> expire soon".
>
> Also, I vaguely remember that IANA allows several e-mail addresses for
> a contact (IANA: can you confirm?) If so, it may be good practice for
> a TLD to have ops at nic.$TLD and ops@$TLD-nic.net).
There's also something to be said for having valid contact into in your
SOA record. And actually checking it. And setting a whitelist for
DNS|ZONE|SIG|EXPIR|PROBLEM|ISSUE for that address in your spam system of
choice.
(Oddly, while I've seen spammers trawl WHOIS, I don't get much spam to the
address I use for this).
-Dan
More information about the Dnssec-deployment
mailing list