On Apr 13, 2012, at 2:18 PM, Patrik Fältström wrote: > > On 13 apr 2012, at 22:44, Nicholas Weaver wrote: > >> Because practice has shown that it is the recursive resolver, not the >> authority, that gets blamed. > > As you saw in my mail, I completely disagree from my own personal experience. > > If I look at the number of failures, the number of cases where the validator > is blamed is exactly one -- Comcast in the NASA case. Compared to the about > 50 cases or so when the zone owner/signer is blamed. Yes, we have been > running DNSSEC validation in Sweden a bit longer than in the USA. > > Can you please comment on that mail that uses a few more characters than '+1' > please?
https://groups.google.com/group/public-dns-discuss A good indication how NORMAL DNSSEC failures get blamed to the recursive resolver operator. Likewise, comcast being blamed for blocking "digifit.com" http://forums.comcast.com/t5/Security-and-Anti-Virus/Comcast-blocking-site/td-p/1140537 Or being blamed for blocking bitcoininca.com, again due to DNSSEC validation failures: http://twitter.com/#!/comcasttom http://dnsviz.net/d/www.bitcoinica.com/dnssec/ Currently, Comcast is not getting stress for this because they simply turned off validation, using basically this technique, for bitcoininca.com [1], because it STILL isn't right. [1] Validation of the invalidation for www.bitcoinica.com: DNS OARC DNSSEC-open resolver (running BIND), first with +dnssec, then with +cd, then to comcast's validating resolvers and validating that the comcast resolver validates nweaver% dig +dnssec www.bitcoinica.com @149.20.64.20 ; <<>> DiG 9.7.3-P3 <<>> +dnssec www.bitcoinica.com @149.20.64.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50201 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.bitcoinica.com. IN A ;; Query time: 2490 msec ;; SERVER: 149.20.64.20#53(149.20.64.20) ;; WHEN: Fri Apr 13 14:36:10 2012 ;; MSG SIZE rcvd: 47 nweaver% dig +dnssec +cd www.bitcoinica.com @149.20.64.20 ; <<>> DiG 9.7.3-P3 <<>> +dnssec +cd www.bitcoinica.com @149.20.64.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25328 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.bitcoinica.com. IN A ;; ANSWER SECTION: www.bitcoinica.com. 39 IN CNAME bitcoinica.com. bitcoinica.com. 39 IN A 50.56.4.62 ;; AUTHORITY SECTION: bitcoinica.com. 172539 IN NS ns-556.awsdns-05.net. bitcoinica.com. 172539 IN NS ns-1893.awsdns-44.co.uk. bitcoinica.com. 172539 IN NS ns-395.awsdns-49.com. bitcoinica.com. 172539 IN NS ns-1199.awsdns-21.org. ;; Query time: 903 msec ;; SERVER: 149.20.64.20#53(149.20.64.20) ;; WHEN: Fri Apr 13 14:40:40 2012 ;; MSG SIZE rcvd: 214 nweaver% dig +dnssec www.bitcoinica.com @75.75.75.75 ; <<>> DiG 9.7.3-P3 <<>> +dnssec www.bitcoinica.com @75.75.75.75 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10370 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ;; QUESTION SECTION: ;www.bitcoinica.com. IN A ;; ANSWER SECTION: www.bitcoinica.com. 300 IN CNAME bitcoinica.com. bitcoinica.com. 300 IN A 50.56.4.62 ;; Query time: 123 msec ;; SERVER: 75.75.75.75#53(75.75.75.75) ;; WHEN: Fri Apr 13 14:37:27 2012 ;; MSG SIZE rcvd: 77 nweaver% dig +dnssec www.dnssec-failed.org @75.75.75.75 ; <<>> DiG 9.7.3-P3 <<>> +dnssec www.dnssec-failed.org @75.75.75.75 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29502 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; Query time: 41 msec ;; SERVER: 75.75.75.75#53(75.75.75.75) ;; WHEN: Fri Apr 13 14:43:15 2012 ;; MSG SIZE rcvd: 50 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
