On 18 January 2012, we at Comcast observed reports of failures of our users to reach the NASA.GOV website. End users on our network incorrectly interpreted this as an attempt by us to block access to the NASA website, on the same day as SOPA-related website protests. :-(

Since we feel that the entire Internet community has room for improvement on signing processes (not to single out NASA), we decided to start doing failure analyses here and there - and share them with the community in the hope that it will help bring greater operational scrutiny and maturity to DNSSEC signing processes.

So ... this is our first one. We welcome any comments or feedback!

The document is available at http://www.dnssec.comcast.net/DNSSEC_Validation_Failure_NASAGOV_20120118_FINAL.pdf. (short URL is http://bit.ly/NASA20120118)