This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] unsubscribe jkuijer at dds.nl
- Previous message (by thread): [dns-wg] unsubscribe jkuijer at dds.nl
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
jkuijer at dds.nl
jkuijer at dds.nl
Wed Nov 30 12:42:32 CET 2005
Citeren dns-wg-request at ripe.net: > Send dns-wg mailing list submissions to > dns-wg at ripe.net > > To subscribe or unsubscribe via the World Wide Web, visit > http://www.ripe.net/mailman/listinfo/dns-wg > or, via email, send a message with subject or body 'help' to > dns-wg-request at ripe.net > > You can reach the person managing the list at > dns-wg-admin at ripe.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of dns-wg digest..." > > > Today's Topics: > > 1. unsubscribe jkuijer at dds.nl (jkuijer at dds.nl) > 2. RE: RIPE NCC DNSSEC on the reverse tree update. (Brett Carr) > 3. RE: RIPE NCC DNSSEC on the reverse tree update. (Alexander Gall) > > --__--__-- > > Message: 1 > Date: Tue, 29 Nov 2005 12:24:05 +0100 > From: jkuijer at dds.nl > To: dns-wg at ripe.net > Subject: [dns-wg] unsubscribe jkuijer at dds.nl > > Citeren dns-wg-request at ripe.net: > > > Send dns-wg mailing list submissions to > > dns-wg at ripe.net > > > > To subscribe or unsubscribe via the World Wide Web, visit > > http://www.ripe.net/mailman/listinfo/dns-wg > > or, via email, send a message with subject or body 'help' to > > dns-wg-request at ripe.net > > > > You can reach the person managing the list at > > dns-wg-admin at ripe.net > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of dns-wg digest..." > > > > > > Today's Topics: > > > > 1. RE: RIPE NCC DNSSEC on the reverse tree update. (Alexander Gall) > > 2. RE: RIPE NCC DNSSEC on the reverse tree update. (Randy Bush) > > > > -- __--__-- > > > > Message: 1 > > From: Alexander Gall <gall at switch.ch> > > Date: Mon, 28 Nov 2005 12:02:49 +0100 > > To: "Brett Carr" <brettcarr at ripe.net> > > Cc: <dns-wg at ripe.net> > > Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. > > > > On Mon, 28 Nov 2005 11:24:45 +0100, "Brett Carr" <brettcarr at ripe.net> said: > > > > >> -----Original Message----- > > >> From: Alexander Gall [mailto:gall at switch.ch] > > >> Sent: 28 November 2005 08:47 > > >> To: Brett Carr > > >> Cc: dns-wg at ripe.net > > >> Subject: Re: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. > > >> > > >> Brett, > > >> > > >> What's going on with 195.in-addr.arpa? All DNSSEC records > > >> are gone, e.g. > > >> > > > > > We saw some zone file corruption during the early hours of the morning, > > this > > > caused a failsafe operation to takeover and hence the zones were > published > > > without signatures. I've investigated and fixed the corruption and so now > > > everything is back to normal. > > > > Thanks. Having such a failsafe procedure is probably a good idea. > > However, it caused my sub-zone to be marked as bogus, which is bad > > (i.e. my cache with only the key for 195.in-addr.arpa configured as > > trusted key returned SERVFAIL for all queries within > > 176.195.in-addr.arpa). I think that you must not leave the DS records > > in the zone when all other DNSSEC RRsets are removed (and the DS > > record for my zone was definitely there). Otherwise, a verifier will > > find a DS record but is unable to check its authenticity and has to > > declare the zone as bogus. > > > > -- > > Alex > > > > > > > > -- __--__-- > > > > Message: 2 > > From: Randy Bush <randy at psg.com> > > Date: Mon, 28 Nov 2005 06:01:50 -1000 > > To: "Brett Carr" <brettcarr at ripe.net> > > Cc: dns-wg at ripe.net > > Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. > > > > > We saw some zone file corruption during the early hours of the > > > morning, this caused a failsafe operation to takeover and hence > > > the zones were published without signatures. > > > > considering the obvious attack paths this opens, one assumes that > > this 'failsafe' would not be part of the operation of a secure > > zone in normal, as opposed to trial, operation. > > > > randy > > > > > > > > > > End of dns-wg Digest > > > > > > > --__--__-- > > Message: 2 > From: "Brett Carr" <brettcarr at ripe.net> > To: "'Alexander Gall'" <gall at switch.ch> > Cc: <dns-wg at ripe.net> > Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. > Date: Tue, 29 Nov 2005 16:38:58 +0100 > > > > > -----Original Message----- > > From: Alexander Gall [mailto:gall at switch.ch] > > Sent: 25 November 2005 15:22 > > To: Brett Carr > > Cc: dns-wg at ripe.net > > Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. > > > > Brett, > > > > On Fri, 25 Nov 2005 14:41:34 +0100, "Brett Carr" > > <brettcarr at ripe.net> said: > > > > >> -----Original Message----- > > >> From: Alexander Gall [mailto:gall at switch.ch] > > >> Sent: 25 November 2005 11:48 > > >> To: Brett Carr > > >> Cc: dns-wg at ripe.net > > >> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. > > > > [...] > > > > >> > > >> However, I think there is a problem with ns.ripe.net. It doesn't > > >> return DNSSEC RRsets when the DO flag is set in the query: > > >> > > > > [...] > > > > > I found a small config typo, which I have fixed, it should > > be ok now though. > > > > Thanks, it looks good now. > > > > Did you have a chance to look (or have somebody else have a > > look :-) at > > <https://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi> for the > > zone 176.195.in-addr.arpa? I can see two problems: > > > > - For some reason, the tool doesn't get replies to queries for NS and > > DNSKEY records at our name servers {merapi,scsnms}.switch.ch with > > the DO flag set. The tool then (erroneously) concludes that these > > RRsets are inconsistent among the servers for the zone. > > > > I see the queries coming in on our servers from 193.0.0.214. Could > > it be that the replies are filtered somwhere in your network (having > > strange flags and all that)? > > > We have now fixed this after finding some strange (udp fragment) filtering > behaviour on our Juniper router, We will be carrying out more (lab based) > tests on this and will report the results to Juniper. > > Regards > > Brett > > -- > Brett Carr RIPE Network Coordination Centre > Systems Engineer -- Operations Group Amsterdam, Netherlands > GPG Key fingerprint = F20D B2A7 C91D E370 44CF F244 B6A1 EF48 E743 F7D8 > > > > > --__--__-- > > Message: 3 > From: Alexander Gall <gall at switch.ch> > Date: Wed, 30 Nov 2005 08:59:37 +0100 > To: "Brett Carr" <brettcarr at ripe.net> > Cc: <dns-wg at ripe.net> > Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. > > On Tue, 29 Nov 2005 16:38:58 +0100, "Brett Carr" <brettcarr at ripe.net> said: > > >> Did you have a chance to look (or have somebody else have a > >> look :-) at > >> <https://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi> for the > >> zone 176.195.in-addr.arpa? I can see two problems: > >> > >> - For some reason, the tool doesn't get replies to queries for NS and > >> DNSKEY records at our name servers {merapi,scsnms}.switch.ch with > >> the DO flag set. The tool then (erroneously) concludes that these > >> RRsets are inconsistent among the servers for the zone. > >> > >> I see the queries coming in on our servers from 193.0.0.214. Could > >> it be that the replies are filtered somwhere in your network (having > >> strange flags and all that)? > > > > We have now fixed this after finding some strange (udp fragment) filtering > > behaviour on our Juniper router, We will be carrying out more (lab based) > > tests on this and will report the results to Juniper. > > Thanks! > > -- > Alex > > > > > End of dns-wg Digest >
- Previous message (by thread): [dns-wg] unsubscribe jkuijer at dds.nl
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]