This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Just another lookaside zone
- Previous message (by thread): [dns-wg] Just another lookaside zone
- Next message (by thread): [dns-wg] Just another lookaside zone
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alexander Gall
gall at switch.ch
Wed Feb 8 12:05:45 CET 2006
On Tue, 7 Feb 2006 17:13:56 +0000 (UTC), Lutz Donnerhacke <lutz at iks-jena.de> said: > * Lutz Donnerhacke wrote: >> I did not manage to install a web form right now. If you like to >> get listed, please send me an email. > Webform including some statistics is online: > https://www.iks-jena.de/leistungen/dnssec.php I have several questions: Why do you include DLV Records for Zones that are below a secure entry point (those you call "chained")? They will never be used unless the parent zones become insecure. What exactly does "DNSKEY unchecked, DSSET given" mean? I suppose that you have received the DSSET by the maintainer of the zone through an authenticated channel (if not, you shouldn't add the DLV record at all). Why doesn't that make it a secure entry point and why should you "check" the DNSKEY? Why do you include DLV records for zones that you know are broken? Obviously, this classification has no meaning for a resolver that does lookaside validation. All DLV Records in this zone must have been authenticated by you (and we all trust you, of course :-), or the scheme is useless. Or am I missing the point and this zone should be used as a repository for secure entry points from which one creates local trusted keys rather than use it as a true lookaside zone? Personally, I have come to the conclusion that I don't like it at all that my cache considers the entire DNS bogus when the DLV zone becomes unreachable or corrupted. I'll stick to my locally configured trusted keys and wait for the root to be signed. BTW, there are some nasty bugs in the DLV implementation in BIND up to 9.3.2 (e.g. see what happens when you corrupt the trusted key of your DLV zone, but don't do it on your production server :-) I've been told that it has been improved a lot for 9.4 and these changes will be backported to 9.3.3. >> I'm looking for a *stable* ipv6 and dnssec able secondary server >> for our zones. If you like to exchange secondary DNS service in >> different AS, please contact me via OpenPGP mail. > Problem solved. Half a day after this message, Cable & Wireless announced, > that the switched there DNS infrastructure (at least for secondaries) to > DNSSEC. Great! Cool. In case you still need secondaries, I can offer two in Switzerland with excellent IPv6 connectivity :-) -- Alex
- Previous message (by thread): [dns-wg] Just another lookaside zone
- Next message (by thread): [dns-wg] Just another lookaside zone
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]