Citeren dns-wg-request@ripe.net:
Send dns-wg mailing list submissions to dns-wg@ripe.net
To subscribe or unsubscribe via the World Wide Web, visit http://www.ripe.net/mailman/listinfo/dns-wg or, via email, send a message with subject or body 'help' to dns-wg-request@ripe.net
You can reach the person managing the list at dns-wg-admin@ripe.net
When replying, please edit your Subject line so it is more specific than "Re: Contents of dns-wg digest..."
Today's Topics:
1. RE: RIPE NCC DNSSEC on the reverse tree update. (Alexander Gall) 2. RE: RIPE NCC DNSSEC on the reverse tree update. (Randy Bush)
--__--__--
Message: 1 From: Alexander Gall <gall@switch.ch> Date: Mon, 28 Nov 2005 12:02:49 +0100 To: "Brett Carr" <brettcarr@ripe.net> Cc: <dns-wg@ripe.net> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
On Mon, 28 Nov 2005 11:24:45 +0100, "Brett Carr" <brettcarr@ripe.net> said:
-----Original Message----- From: Alexander Gall [mailto:gall@switch.ch] Sent: 28 November 2005 08:47 To: Brett Carr Cc: dns-wg@ripe.net Subject: Re: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Brett,
What's going on with 195.in-addr.arpa? All DNSSEC records are gone, e.g.
We saw some zone file corruption during the early hours of the morning, this caused a failsafe operation to takeover and hence the zones were published without signatures. I've investigated and fixed the corruption and so now everything is back to normal.
Thanks. Having such a failsafe procedure is probably a good idea. However, it caused my sub-zone to be marked as bogus, which is bad (i.e. my cache with only the key for 195.in-addr.arpa configured as trusted key returned SERVFAIL for all queries within 176.195.in-addr.arpa). I think that you must not leave the DS records in the zone when all other DNSSEC RRsets are removed (and the DS record for my zone was definitely there). Otherwise, a verifier will find a DS record but is unable to check its authenticity and has to declare the zone as bogus.
-- Alex
--__--__--
Message: 2 From: Randy Bush <randy@psg.com> Date: Mon, 28 Nov 2005 06:01:50 -1000 To: "Brett Carr" <brettcarr@ripe.net> Cc: dns-wg@ripe.net Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
We saw some zone file corruption during the early hours of the morning, this caused a failsafe operation to takeover and hence the zones were published without signatures.
considering the obvious attack paths this opens, one assumes that this 'failsafe' would not be part of the operation of a secure zone in normal, as opposed to trial, operation.
randy
End of dns-wg Digest