About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

[dns-wg] unsubscribe jkuijer@dds.nl

  • From:
  • Date: Tue, 29 Nov 2005 12:24:05 +0100
Citeren dns-wg-request@localhost:

> Send dns-wg mailing list submissions to
> 	dns-wg@localhost
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://www.ripe.net/mailman/listinfo/dns-wg
> or, via email, send a message with subject or body 'help' to
> 	dns-wg-request@localhost
>
> You can reach the person managing the list at
> 	dns-wg-admin@localhost
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of dns-wg digest..."
>
>
> Today's Topics:
>
>    1. RE: RIPE NCC DNSSEC on the reverse tree update. (Alexander Gall)
>    2. RE: RIPE NCC DNSSEC on the reverse tree update. (Randy Bush)
>
> --__--__--
>
> Message: 1
> From: Alexander Gall gall@localhost
> Date: Mon, 28 Nov 2005 12:02:49 +0100
> To: "Brett Carr" brettcarr@localhost
>
> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
>
> On Mon, 28 Nov 2005 11:24:45 +0100, "Brett Carr" brettcarr@localhost said:
>
> >> -----Original Message-----
> >> From: Alexander Gall [
	    
	    

]
> >> Sent: 28 November 2005 08:47
> >> To: Brett Carr
> >> >> Subject: Re: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
> >>
> >> Brett,
> >>
> >> What's going on with 195.in-addr.arpa?  All DNSSEC records
> >> are gone, e.g.
> >>
>
> > We saw some zone file corruption during the early hours of the morning,
> this
> > caused a failsafe operation to takeover and  hence the zones were published
> > without signatures. I've investigated and fixed the corruption and so now
> > everything is back to normal.
>
> Thanks.  Having such a failsafe procedure is probably a good idea.
> However, it caused my sub-zone to be marked as bogus, which is bad
> (i.e. my cache with only the key for 195.in-addr.arpa configured as
> trusted key returned SERVFAIL for all queries within
> 176.195.in-addr.arpa).  I think that you must not leave the DS records
> in the zone when all other DNSSEC RRsets are removed (and the DS
> record for my zone was definitely there).  Otherwise, a verifier will
> find a DS record but is unable to check its authenticity and has to
> declare the zone as bogus.
>
> --
> Alex
>
>
>
> --__--__--
>
> Message: 2
> From: Randy Bush randy@localhost
> Date: Mon, 28 Nov 2005 06:01:50 -1000
> To: "Brett Carr" brettcarr@localhost
> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
>
> > We saw some zone file corruption during the early hours of the
> > morning, this caused a failsafe operation to takeover and hence
> > the zones were published without signatures.
>
> considering the obvious attack paths this opens, one assumes that
> this 'failsafe' would not be part of the operation of a secure
> zone in normal, as opposed to trial, operation.
>
> randy
>
>
>
>
> End of dns-wg Digest
>
Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community