On Jul 9, 2014, at 3:57 AM, Jelte Jansen <jelte.jan...@sidn.nl> wrote:
> On 07/09/2014 09:46 AM, Stephane Bortzmeyer wrote: >> Is there a trend towards _less_ DNSSEC problems, with time? This is >> not obvious. nasa.gov just botched a key rollover. >> >> The problem (DS to a non-existing key) >> http://dnsviz.net/d/nasa.gov/U7yzSQ/dnssec/ >> > > Only local, so I can't say anything about global trends, but we've been > running a validation monitor where we notify registrars of DNSSEC errors > that are encountered in the wild (The DNSSEC Validation Monitor; the > extended description is in Dutch but here are some slides about it: > https://www.sidnlabs.nl/uploads/tx_sidnpublications/DNSSEC_Validation_Monitor.pdf). > > DS to no keys at all (usually after a registrar move) tends to be the > error that happens most. But within .nl, there is definitely a trend > downwards. > Haven't been tracking errors like I did, but there was a downward trend 2 years ago. From 10% of signed .gov having errors to below 1%. Recent weeks, there has been an increase in failures and going from signed to unsigned (by a few zones). My initial guess is that these errors are due to operational changes: people moving on, new vendor, etc. and a failure to document procedures. Could also be due to simple complacency. Scott > Jelte