unsubscribe jkuijer@dds.nl
Citeren dns-wg-request@ripe.net:
Send dns-wg mailing list submissions to dns-wg@ripe.net
To subscribe or unsubscribe via the World Wide Web, visit http://www.ripe.net/mailman/listinfo/dns-wg or, via email, send a message with subject or body 'help' to dns-wg-request@ripe.net
You can reach the person managing the list at dns-wg-admin@ripe.net
When replying, please edit your Subject line so it is more specific than "Re: Contents of dns-wg digest..."
Today's Topics:
1. unsubscribe jkuijer@dds.nl (jkuijer@dds.nl) 2. RE: RIPE NCC DNSSEC on the reverse tree update. (Brett Carr) 3. RE: RIPE NCC DNSSEC on the reverse tree update. (Alexander Gall)
--__--__--
Message: 1 Date: Tue, 29 Nov 2005 12:24:05 +0100 From: jkuijer@dds.nl To: dns-wg@ripe.net Subject: [dns-wg] unsubscribe jkuijer@dds.nl
Citeren dns-wg-request@ripe.net:
Send dns-wg mailing list submissions to dns-wg@ripe.net
To subscribe or unsubscribe via the World Wide Web, visit http://www.ripe.net/mailman/listinfo/dns-wg or, via email, send a message with subject or body 'help' to dns-wg-request@ripe.net
You can reach the person managing the list at dns-wg-admin@ripe.net
When replying, please edit your Subject line so it is more specific than "Re: Contents of dns-wg digest..."
Today's Topics:
1. RE: RIPE NCC DNSSEC on the reverse tree update. (Alexander Gall) 2. RE: RIPE NCC DNSSEC on the reverse tree update. (Randy Bush)
-- __--__--
Message: 1 From: Alexander Gall <gall@switch.ch> Date: Mon, 28 Nov 2005 12:02:49 +0100 To: "Brett Carr" <brettcarr@ripe.net> Cc: <dns-wg@ripe.net> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
On Mon, 28 Nov 2005 11:24:45 +0100, "Brett Carr" <brettcarr@ripe.net> said:
-----Original Message----- From: Alexander Gall [mailto:gall@switch.ch] Sent: 28 November 2005 08:47 To: Brett Carr Cc: dns-wg@ripe.net Subject: Re: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Brett,
What's going on with 195.in-addr.arpa? All DNSSEC records are gone, e.g.
We saw some zone file corruption during the early hours of the morning, this caused a failsafe operation to takeover and hence the zones were published without signatures. I've investigated and fixed the corruption and so now everything is back to normal.
Thanks. Having such a failsafe procedure is probably a good idea. However, it caused my sub-zone to be marked as bogus, which is bad (i.e. my cache with only the key for 195.in-addr.arpa configured as trusted key returned SERVFAIL for all queries within 176.195.in-addr.arpa). I think that you must not leave the DS records in the zone when all other DNSSEC RRsets are removed (and the DS record for my zone was definitely there). Otherwise, a verifier will find a DS record but is unable to check its authenticity and has to declare the zone as bogus.
-- Alex
-- __--__--
Message: 2 From: Randy Bush <randy@psg.com> Date: Mon, 28 Nov 2005 06:01:50 -1000 To: "Brett Carr" <brettcarr@ripe.net> Cc: dns-wg@ripe.net Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
We saw some zone file corruption during the early hours of the morning, this caused a failsafe operation to takeover and hence the zones were published without signatures.
considering the obvious attack paths this opens, one assumes that this 'failsafe' would not be part of the operation of a secure zone in normal, as opposed to trial, operation.
randy
End of dns-wg Digest
--__--__--
Message: 2 From: "Brett Carr" <brettcarr@ripe.net> To: "'Alexander Gall'" <gall@switch.ch> Cc: <dns-wg@ripe.net> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. Date: Tue, 29 Nov 2005 16:38:58 +0100
-----Original Message----- From: Alexander Gall [mailto:gall@switch.ch] Sent: 25 November 2005 15:22 To: Brett Carr Cc: dns-wg@ripe.net Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
Brett,
On Fri, 25 Nov 2005 14:41:34 +0100, "Brett Carr" <brettcarr@ripe.net> said:
-----Original Message----- From: Alexander Gall [mailto:gall@switch.ch] Sent: 25 November 2005 11:48 To: Brett Carr Cc: dns-wg@ripe.net Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
[...]
However, I think there is a problem with ns.ripe.net. It doesn't return DNSSEC RRsets when the DO flag is set in the query:
[...]
I found a small config typo, which I have fixed, it should be ok now though.
Thanks, it looks good now.
Did you have a chance to look (or have somebody else have a look :-) at <https://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi> for the zone 176.195.in-addr.arpa? I can see two problems:
- For some reason, the tool doesn't get replies to queries for NS and DNSKEY records at our name servers {merapi,scsnms}.switch.ch with the DO flag set. The tool then (erroneously) concludes that these RRsets are inconsistent among the servers for the zone.
I see the queries coming in on our servers from 193.0.0.214. Could it be that the replies are filtered somwhere in your network (having strange flags and all that)?
We have now fixed this after finding some strange (udp fragment) filtering behaviour on our Juniper router, We will be carrying out more (lab based) tests on this and will report the results to Juniper.
Regards
Brett
-- Brett Carr RIPE Network Coordination Centre Systems Engineer -- Operations Group Amsterdam, Netherlands GPG Key fingerprint = F20D B2A7 C91D E370 44CF F244 B6A1 EF48 E743 F7D8
--__--__--
Message: 3 From: Alexander Gall <gall@switch.ch> Date: Wed, 30 Nov 2005 08:59:37 +0100 To: "Brett Carr" <brettcarr@ripe.net> Cc: <dns-wg@ripe.net> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
On Tue, 29 Nov 2005 16:38:58 +0100, "Brett Carr" <brettcarr@ripe.net> said:
Did you have a chance to look (or have somebody else have a look :-) at <https://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi> for the zone 176.195.in-addr.arpa? I can see two problems:
- For some reason, the tool doesn't get replies to queries for NS and DNSKEY records at our name servers {merapi,scsnms}.switch.ch with the DO flag set. The tool then (erroneously) concludes that these RRsets are inconsistent among the servers for the zone.
I see the queries coming in on our servers from 193.0.0.214. Could it be that the replies are filtered somwhere in your network (having strange flags and all that)?
We have now fixed this after finding some strange (udp fragment) filtering behaviour on our Juniper router, We will be carrying out more (lab based) tests on this and will report the results to Juniper.
Thanks!
-- Alex
End of dns-wg Digest
participants (1)
-
jkuijer@dds.nl