Chris_Griffiths at Cable.Comcast.com
Mon Jan 16 23:44:00 EST 2012
On Jan 16, 2012, at 5:58 PM, Tony Finch wrote:
Griffiths, Chris <Chris_Griffiths at Cable.Comcast.com<mailto:Chris_Griffiths at Cable.Comcast.com>> wrote:
Our validating resolvers currently validate all signed zones and use the
root key as the trust anchor. As long as the zone owners have signed
their zone (which would include our own zones), we will validate. We
have seen some fall out from zone owners who have broken implementations
and we have worked with them to correct their configurations, as well as
put together operational processes to deal with items like this.
Do these operational processes include temporarily disabling validation
for broken domains? Or flushing caches so a fix becomes visible sooner?
Or other actions?
Yes we do. If we receive a broken domain report through various channels, then we check validation across our platform with automated and manual processes and tooling and if this issue persists for x amount of time then we disable validation on the domain(s) in question while we contact the owner to repair the issue. Once we have confirmed repair, we enable validation again for the impacted domain(s) and potentially flush cache as needed. I am working on IETF draft that covers our learnings from implementing DNSSEC, and I hope to have a first revision before the Paris IETF so it can get review.
Comcast Cable Communications, Inc.
National Engineering and Technical Operations
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dnssec-deployment