This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] Just another lookaside zone

Previous message (by thread): [dns-wg] Just another lookaside zone
Next message (by thread): [dns-wg] Just another lookaside zone

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alexander Gall gall at switch.ch
Wed Feb 8 12:05:45 CET 2006

On Tue, 7 Feb 2006 17:13:56 +0000 (UTC), Lutz Donnerhacke <lutz at iks-jena.de> said:

> * Lutz Donnerhacke wrote:
>> I did not manage to install a web form right now. If you like to
>> get listed, please send me an email.

> Webform including some statistics is online:
>   https://www.iks-jena.de/leistungen/dnssec.php

I have several questions:

Why do you include DLV Records for Zones that are below a secure entry
point (those you call "chained")?  They will never be used unless the
parent zones become insecure.

What exactly does "DNSKEY unchecked, DSSET given" mean?  I suppose
that you have received the DSSET by the maintainer of the zone through
an authenticated channel (if not, you shouldn't add the DLV record at
all).  Why doesn't that make it a secure entry point and why should
you "check" the DNSKEY?

Why do you include DLV records for zones that you know are broken?

Obviously, this classification has no meaning for a resolver that does
lookaside validation.  All DLV Records in this zone must have been
authenticated by you (and we all trust you, of course :-), or the
scheme is useless.

Or am I missing the point and this zone should be used as a repository
for secure entry points from which one creates local trusted keys
rather than use it as a true lookaside zone?

Personally, I have come to the conclusion that I don't like it at all
that my cache considers the entire DNS bogus when the DLV zone becomes
unreachable or corrupted.  I'll stick to my locally configured trusted
keys and wait for the root to be signed.

BTW, there are some nasty bugs in the DLV implementation in BIND up to
9.3.2 (e.g. see what happens when you corrupt the trusted key of your
DLV zone, but don't do it on your production server :-)  I've been
told that it has been improved a lot for 9.4 and these changes will be
backported to 9.3.3.

>> I'm looking for a *stable* ipv6 and dnssec able secondary server
>> for our zones.  If you like to exchange secondary DNS service in
>> different AS, please contact me via OpenPGP mail.

> Problem solved. Half a day after this message, Cable & Wireless announced,
> that the switched there DNS infrastructure (at least for secondaries) to
> DNSSEC. Great!

Cool.  In case you still need secondaries, I can offer two in
Switzerland with excellent IPv6 connectivity :-)

--
Alex

Previous message (by thread): [dns-wg] Just another lookaside zone
Next message (by thread): [dns-wg] Just another lookaside zone

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]