In article <mailman.748.1336659466.63724.bind-us...@lists.isc.org>, Tony Finch <d...@dotat.at> wrote:
> Barry Margolin <bar...@alum.mit.edu> wrote: > > > > [Validation is] only untroublesome until someone screws things up on > > their auth server. When one of your users can't access something.gov, > > they'll complain to YOU, even though it's mostly out of your hands. > > > > This is true for other problems on auth servers as well, of course. But > > DNSSEC is new enough that there tend to be more failures of this kind, > > even by organizations that until now have seemed to know what they're > > doing. > > Some of the early DNSSEC deployments (especially in .gov) did not use good > tooling. That's much less of a problem now. See for instance the big > DNSSEC deployments in Sweden, Czech, Brazil. > > Even third party DNSSEC screwups have not caused us much trouble. Every week or two someone complains in the Comcast Help Forum about being unable to resolve some .gov address, and the usual cause is that the domain operator messed up their DNSSEC. But I agree that it's not as frequent as it was 6 months ago. It also helps that Comcast can now work around it by configuring exceptions to DNSSEC checking. -- Barry Margolin Arlington, MA _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users