Deploying DNSSEC in e164.arpa zone
Dear Colleagues, The RIPE NCC is pleased to announce its plan for the deployment of DNSSEC in the e164.arpa zone (ENUM). This improvement to the operation of the domain was developed and concluded following consultation with the IETF's Internet Architecture Board (IAB). In line with the IAB's instructions, the RIPE NCC has provided technical administration for the e164.arpa zone since 2002. These instructions are documented and are available at: http://www.ripe.net/enum/instructions.html We informed the IAB of our intention to implement DNSSEC in the e164.arpa zone and we received positive feedback and support for the deployment. Details of the correspondence between the RIPE NCC and the IAB can be found at: http://www.iab.org/documents/correspondence/ We will start signing the e164.arpa on 26 November 2007 and support for secure delegations will be provided on 24 March 2008. Further announcements will be posted as these milestones approach. Best regards, Andrei Robachevsky Chief Technical Officer RIPE NCC
Finally :) Good news. We use DNSSEC for our 8.4.e164.zone for quite a long time. Best, Andrzej Bartosiewicz tel: +48 22 380 8395 tel: +1 (310) 817 6567 ENUM: 0.7.5.1.4.2.6.0.6.8.4.e164.arpa skype: abartosiewicz On Thu, 27 Sep 2007, Andrei Robachevsky wrote:
Dear Colleagues,
The RIPE NCC is pleased to announce its plan for the deployment of DNSSEC in the e164.arpa zone (ENUM). This improvement to the operation of the domain was developed and concluded following consultation with the IETF's Internet Architecture Board (IAB).
In line with the IAB's instructions, the RIPE NCC has provided technical administration for the e164.arpa zone since 2002. These instructions are documented and are available at: http://www.ripe.net/enum/instructions.html
We informed the IAB of our intention to implement DNSSEC in the e164.arpa zone and we received positive feedback and support for the deployment. Details of the correspondence between the RIPE NCC and the IAB can be found at: http://www.iab.org/documents/correspondence/
We will start signing the e164.arpa on 26 November 2007 and support for secure delegations will be provided on 24 March 2008. Further announcements will be posted as these milestones approach.
Best regards,
Andrei Robachevsky Chief Technical Officer RIPE NCC
Finally :) Good news. We use DNSSEC for our 8.4.e164.zone for quite a long time. .... ENUM: 0.7.5.1.4.2.6.0.6.8.4.e164.arpa So, time to sign this one as well :-). jaap
? it's properly signed. Andrzej Bartosiewicz tel: +48 22 380 8395 tel: +1 (310) 817 6567 ENUM: 0.7.5.1.4.2.6.0.6.8.4.e164.arpa skype: abartosiewicz On Thu, 27 Sep 2007, Jaap Akkerhuis wrote:
Finally :)
Good news. We use DNSSEC for our 8.4.e164.zone for quite a long time.
....
ENUM: 0.7.5.1.4.2.6.0.6.8.4.e164.arpa
So, time to sign this one as well :-).
jaap
Jaap, i've checked... this domain is signed, ALL servers respond with DNSSEC data EXCEPT the RIPE server which do not support DNSSEC.... so if you resolve domains from 8.4.e164.arpa zone using RIPE server, you can't get DNSSEC enabled answers. we will remove ns.ripe.net and the problem will be solved today. thanks Andrzej Bartosiewicz tel: +48 22 380 8395 tel: +1 (310) 817 6567 ENUM: 0.7.5.1.4.2.6.0.6.8.4.e164.arpa skype: abartosiewicz On Thu, 27 Sep 2007, Jaap Akkerhuis wrote:
Finally :)
Good news. We use DNSSEC for our 8.4.e164.zone for quite a long time.
....
ENUM: 0.7.5.1.4.2.6.0.6.8.4.e164.arpa
So, time to sign this one as well :-).
jaap
this domain is signed, ALL servers respond with DNSSEC data EXCEPT the RIPE server which do not support DNSSEC.... so if you resolve domains from 8.4.e164.arpa zone using RIPE server, you can't get DNSSEC enabled answers. we will remove ns.ripe.net and the problem will be solved today. Ah, I might have hit that one, I just only tried it once. But there is at least one lesson in this: you make sure al servers support DNSSEC when you roll it out. jaap
Jaap Akkerhuis wrote on 28-09-2007 12:08:
this domain is signed, ALL servers respond with DNSSEC data EXCEPT the RIPE server which do not support DNSSEC....
so if you resolve domains from 8.4.e164.arpa zone using RIPE server, you can't get DNSSEC enabled answers.
we will remove ns.ripe.net and the problem will be solved today.
Ah, I might have hit that one, I just only tried it once. But there is at least one lesson in this: you make sure al servers support DNSSEC when you roll it out.
We are tracking down the problem together with NASK; as far as we can see ns.ripe.net returns the right dnssec information.
jaap
Andrei Robachevsky CTO, RIPE NCC
On 27 Sep 2007, at 16:04, Andrei Robachevsky wrote:
The RIPE NCC is pleased to announce its plan for the deployment of DNSSEC in the e164.arpa zone (ENUM). This improvement to the operation of the domain was developed and concluded following consultation with the IETF's Internet Architecture Board (IAB).
Excellent! Best regards, Niall O'Reilly Co-Chair, RIPE ENUM Working Group
Niall O'Reilly wrote:
On 27 Sep 2007, at 16:04, Andrei Robachevsky wrote:
The RIPE NCC is pleased to announce its plan for the deployment of DNSSEC in the e164.arpa zone (ENUM). This improvement to the operation of the domain was developed and concluded following consultation with the IETF's Internet Architecture Board (IAB).
Excellent!
Also from my side! :-) Best, Carsten Schiefner Co-Chair, RIPE ENUM Working Group
On 27 sep 2007, at 17.04, Andrei Robachevsky wrote:
The RIPE NCC is pleased to announce its plan for the deployment of DNSSEC in the e164.arpa zone (ENUM). This improvement to the operation of the domain was developed and concluded following consultation with the IETF's Internet Architecture Board (IAB).
Andrei, staff at RIPE NCC, IAB, wg members. My sincere congratulations for this big step towards a more stable and secure Internet. Regards, Patrik Fältström
participants (6)
-
Andrei Robachevsky -
Andrzej Bartosiewicz -
Carsten Schiefner -
Jaap Akkerhuis -
Niall O'Reilly -
Patrik Fältström