>From appearances, the error is not DNSSEC related (army.mil is unsigned), but that no one can reach the army.mil servers. I see both SERVFAIL and "no servers could be reached" errors.
As for requiring validation, the next version of the security controls for all Federal USG systems will require DNSSEC validation in the agency. This will likely be at the recursive resolver level, not the end system. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf That was published in 4/2013, so it won't be "in effect" until next April, but some agencies are doing validation now. We already hear of issues and some successes. Scott =================================== Scott Rose NIST [email protected] +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ https://www.had-pilot.com/ =================================== -----Original Message----- From: Christopher Morrow <[email protected]> Date: Wednesday, August 21, 2013 1:04 PM To: Fr34k <[email protected]> Cc: "Rose, Scott W." <[email protected]>, Mike A <[email protected]>, DNS Operations <[email protected]> Subject: Re: [dns-operations] problems resolving army.mil and us.army.mil? >a question(s) from the peanut gallery... >(I assumed some things...) > >if the operations work to maintain dnssec stuff for zones is not >productionized and automated and tested failures like this army.mil >(and most previous other zone problems elsewhere related to dnssec, >most likely) issue happen... > >what process gets us all to better, more stable, more reliable dnssec >deployment on a per-zone basis? > >is the problem that army.mil can be broken for X hours/days with >respect to dnssec because 'no one notices' and thus the failure has >low/zero cost to the domain owner? Is the process/ops-work so hard >that it can't be automated/productionized? > >If the 'no one notices' answer is 'yes', how do more people get to the >place where they notice? by enabling validation in resolvers? could US >Gov't agencies all enable this 'now' and help to find these problems >more quickly? could OMB be brought to bear on this sort of thing in a >reasoned way? > >-chris > >On Wed, Aug 21, 2013 at 10:18 AM, Fr34k <[email protected]> wrote: >> http://dnssec-debugger.verisignlabs.com/army.mil also shows several >>issues. >> >> >> >> >> ----- Original Message ----- >>> From: "Rose, Scott W." <[email protected]> >>> To: Mike A <[email protected]>; DNS Operations >>><[email protected]> >>> Cc: >>> Sent: Wednesday, August 21, 2013 10:06 AM >>> Subject: Re: [dns-operations] problems resolving army.mil and >>>us.army.mil? >>> >>> Me too. From NIST and DNSViz: >>> http://dnsviz.net/d/army.mil/dnssec/ >>> >>> Can't reach any of the servers listed. >>> >>> Scott >>> >>> >>> =================================== >>> Scott Rose >>> NIST >>> [email protected] >>> +1 301-975-8439 >>> Google Voice: +1 571-249-3671 >>> http://www.dnsops.gov/ >>> https://www.had-pilot.com/ >>> =================================== >>> >>> >>> >>> >>> >>> >>> -----Original Message----- >>> From: Mike A <[email protected]> >>> Date: Wednesday, August 21, 2013 10:02 AM >>> To: DNS Operations <[email protected]> >>> Subject: [dns-operations] problems resolving army.mil and us.army.mil? >>> >>>> I'm seeing timeouts and SERVFAILs trying to resolve army.mil and >>>> us.army.mil from multiple locations on disjoint nets. Anyone else? >>>> >>>> -- >>>> Mike Andrews, W5EGO >>>> [email protected] >>>> Tired old sysadmin >>>> _______________________________________________ >>>> dns-operations mailing list >>>> [email protected] >>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations >>>> dns-jobs mailing list >>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs >>> >>> _______________________________________________ >>> dns-operations mailing list >>> [email protected] >>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations >>> dns-jobs mailing list >>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs >>> >> _______________________________________________ >> dns-operations mailing list >> [email protected] >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations >> dns-jobs mailing list >> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
