CAcert System Admins discussion list

[Wytze van der Raay <wytze AT cacert.org>]

On 12/17/2010 22:45 PM, Nicko van Someren wrote:
>  Several ISPs around the world, including Comcast in the USA, are now
> validating all DNSSEC-enabled responses that pass through their proxy 
> servers.
>  While they pass records that lack any DNSSEC support, records with DNSSEC
> fields which fail signature checks are rejected and the corresponding sites
> are inaccessible.  Currently the cacert.org domain falls into this category.
> See: http://dnssec-debugger.verisignlabs.com/www.cacert.org for details.

Until recently we were relying on ISC's DLV registry (dlv.isc.org) to
publish the knowledge about CAcert's DNSSEC keys, because our DNS registrar
did not yet provide a mechanism for submitting DS records.
But fortunately they recently upgraded their provisioning system, so now we
have been able to submit the appropriate DS records for the cacert.org and
cacert.net zones (while we have signed cacert.com also, DNSSEC is not yet
available for .com).

> It would be hugely helpful if you could either fix your DNSSEC records or,
> as a last resort, disable DNSSEC on your domain.  As it stands anyone who is
> running a DNSSEC-validating DNS resolver, or who uses an ISP that performs
> validation in its DNS proxies, is unable to reach your domain.

In my opinion, anyone running a DNSSEC-validating resolver would be wise to
include support for validation via DLV for the time being, in addition to
the validation straight from the signed root. A large number of registrars
is currently still unable to provide their customers with a mechanism to
upload DS records, but some (and hopefully many!) of those customers DO want
to use DNSSEC and will try to test and deploy it via the DLV route.
Forgetting to handle those seems like a disservice to your DNS resolver's
clients ...

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature