From: "Livingood, Jason" <jason_living...@cable.comcast.com>
> 1 ? Responsibility for authoritative DNSSEC mistakes rests with > authoritative operators > (written up quickly in http://tools.ietf.org/html/draft-livingood- > auth-dnssec-mistakes-00) The ultimate responsibility for domain issues really rests with the domain owner, not the domain admin. In section 3, you write Even in cases where some error may be introduced by a third party, whether that is due to an authoritative server software vendor, software tools vendor, domain name registrar, or other organization, these are all parties that the domain administrator has selected and is responsible for managing successfully. If the domain administration is provided by an outside party, it is the owner that selected them and the owner is the one ultimately responsible. In many such service provider arrangements, the only party that has any influence to correct problems is the owner, via SLA and the power of the checkbook. Coincidentally, I am dealing with the provider for a local college that has outsourced much of their IT. I am trying to get their SPF record corrected. The outsourcing provider admits the record "could use updating" but after close to 2 weeks, it is still wrong. I gave up after several phone calls to the provider and I am in contact with the local college IT staff. Time will tell if this provides any results. > 2 ? In case of DNSSEC validation failures, don't change resolvers > (written up quickly in http://tools.ietf.org/html/draft-livingood- > dont-switch-resolvers-00) A well written sermon to the choir, I'm afraid. I suspect there is little that can be done to prevent the typical end user from doing what they perceive as fixing the problem. Unless this floats to the top of every search for "Wny can't I get to $PopularDomain", people will find the advice to switch to a non-validating resolver. Fortunately, the number of publicly available non-validating resolvers is declining. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
