Re: [ga] Re: Resolving .gov w/dnssec

[Hugh Dierker <hdierker2204@xxxxxxxxx>]

Fair trade is necessary trade. Unnecessary tradeoffs are lame. These problems 
are not necessary -- except that they are within the given framework of lack of 
motivation to do better.  It comes down to this, if we set our standards 
outside of competitive models there is no incentive to do better.  ICANN, the 
Dnssec and this SAIC are working within government sanctioned slobbery, 
both intellectual and economic slobbery.  I used to think it was snobbery, now 
I know it is a laziness born of shovel leaning bureaucrats. You may be kind and 
call it "make work" but would you call intentional fraud "make work"? Buggy 
whips and Railroad fireman is what this is.
 
The plan I am putting together for the inculsives will generate some new fire 
under the pants of these obstructionists and they will find that a better 
mousetrap can be built.
 


--- On Thu, 4/22/10, Joe Baptista <baptista@xxxxxxxxxxxxxx> wrote:


From: Joe Baptista <baptista@xxxxxxxxxxxxxx>
Subject: [ga] Re: Resolving .gov w/dnssec
To: cet1@xxxxxxxxx, "ga@xxxxxxxxxxxxxx >> GA" <ga@xxxxxxxxxxxxxx>
Cc: "Paul Wouters" <paul@xxxxxxxxxxxxx>, "Bind Users Mailing List" 
<bind-users@xxxxxxxxxxxxx>, "Timothe Litt" <litt@xxxxxxx>
Date: Thursday, April 22, 2010, 8:07 AM


Looks like the future of the DNSSEC make work project includes resolution 
failures here and there. More security - less stability - guaranteed slavery. I 
wounder if it's a fair trade.

we'll see ..
regards
joe baptista


On Thu, Apr 22, 2010 at 10:52 AM, Chris Thompson <cet1@xxxxxxxxx> wrote:


On Apr 22 2010, Paul Wouters wrote:


On Thu, 22 Apr 2010, Timothe Litt wrote:


I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV
configured as valdidating resolvers.

Using dig, I get a connection timeout error after a long (~10 sec) delay.
+cdflag provides an immediate response.


Is anyone else seeing this?  Ideas on how to troubleshoot?

I have the same problems with our validating unbound instance. 

I suspect that this has to do with

 dig +dnssec +norec dnskey uspto.gov @dns1.uspto.gov.
 dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov.

failing with timeouts, while   dig +dnssec +norec +vc dnskey uspto.gov 
@dns1.uspto.gov.
 dig +dnssec +norec +vc dnskey uspto.gov @dns2.uspto.gov.

work fine ... with a 1736-byte answer. Probably the fragmented
UDP response is getting lost somewhere near the authoritative
servers themselves.

-- 
Chris Thompson
Email: cet1@xxxxxxxxx




_______________________________________________
bind-users mailing list
bind-users@xxxxxxxxxxxxx
https://lists.isc.org/mailman/listinfo/bind-users