About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

[dns-wg] unsubscribe jkuijer@dds.nl

  • From:
  • Date: Wed, 30 Nov 2005 12:42:32 +0100
Citeren dns-wg-request@localhost:

> Send dns-wg mailing list submissions to
> 	dns-wg@localhost
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://www.ripe.net/mailman/listinfo/dns-wg
> or, via email, send a message with subject or body 'help' to
> 	dns-wg-request@localhost
>
> You can reach the person managing the list at
> 	dns-wg-admin@localhost
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of dns-wg digest..."
>
>
> Today's Topics:
>
>    1. unsubscribe jkuijer@localhost (jkuijer@localhost)
>    2. RE: RIPE NCC DNSSEC on the reverse tree update. (Brett Carr)
>    3. RE: RIPE NCC DNSSEC on the reverse tree update. (Alexander Gall)
>
> --__--__--
>
> Message: 1
> Date: Tue, 29 Nov 2005 12:24:05 +0100
> From: jkuijer@localhost
> Subject: [dns-wg] unsubscribe jkuijer@localhost
>
> Citeren dns-wg-request@localhost:
>
> > Send dns-wg mailing list submissions to
> > 	dns-wg@localhost
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > 	http://www.ripe.net/mailman/listinfo/dns-wg
> > or, via email, send a message with subject or body 'help' to
> > 	dns-wg-request@localhost
> >
> > You can reach the person managing the list at
> > 	dns-wg-admin@localhost
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of dns-wg digest..."
> >
> >
> > Today's Topics:
> >
> >    1. RE: RIPE NCC DNSSEC on the reverse tree update. (Alexander Gall)
> >    2. RE: RIPE NCC DNSSEC on the reverse tree update. (Randy Bush)
> >
> > -- __--__--
> >
> > Message: 1
> > From: Alexander Gall gall@localhost
> > Date: Mon, 28 Nov 2005 12:02:49 +0100
> > To: "Brett Carr" brettcarr@localhost
> >
> > Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
> >
> > On Mon, 28 Nov 2005 11:24:45 +0100, "Brett Carr" brettcarr@localhost said:
> >
> > >> -----Original Message-----
> > >> From: Alexander Gall [
	    
	    

]
> > >> Sent: 28 November 2005 08:47
> > >> To: Brett Carr
> > >> > >> Subject: Re: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
> > >>
> > >> Brett,
> > >>
> > >> What's going on with 195.in-addr.arpa?  All DNSSEC records
> > >> are gone, e.g.
> > >>
> >
> > > We saw some zone file corruption during the early hours of the morning,
> > this
> > > caused a failsafe operation to takeover and  hence the zones were
> published
> > > without signatures. I've investigated and fixed the corruption and so now
> > > everything is back to normal.
> >
> > Thanks.  Having such a failsafe procedure is probably a good idea.
> > However, it caused my sub-zone to be marked as bogus, which is bad
> > (i.e. my cache with only the key for 195.in-addr.arpa configured as
> > trusted key returned SERVFAIL for all queries within
> > 176.195.in-addr.arpa).  I think that you must not leave the DS records
> > in the zone when all other DNSSEC RRsets are removed (and the DS
> > record for my zone was definitely there).  Otherwise, a verifier will
> > find a DS record but is unable to check its authenticity and has to
> > declare the zone as bogus.
> >
> > --
> > Alex
> >
> >
> >
> > -- __--__--
> >
> > Message: 2
> > From: Randy Bush randy@localhost
> > Date: Mon, 28 Nov 2005 06:01:50 -1000
> > To: "Brett Carr" brettcarr@localhost
> > > Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
> >
> > > We saw some zone file corruption during the early hours of the
> > > morning, this caused a failsafe operation to takeover and hence
> > > the zones were published without signatures.
> >
> > considering the obvious attack paths this opens, one assumes that
> > this 'failsafe' would not be part of the operation of a secure
> > zone in normal, as opposed to trial, operation.
> >
> > randy
> >
> >
> >
> >
> > End of dns-wg Digest
> >
>
>
>
>
> --__--__--
>
> Message: 2
> From: "Brett Carr" brettcarr@localhost
> To: "'Alexander Gall'" gall@localhost
>
> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
> Date: Tue, 29 Nov 2005 16:38:58 +0100
>
>
>
> > -----Original Message-----
> > From: Alexander Gall [
	    
	    

]
> > Sent: 25 November 2005 15:22
> > To: Brett Carr
> > > Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
> >
> > Brett,
> >
> > On Fri, 25 Nov 2005 14:41:34 +0100, "Brett Carr"
> > brettcarr@localhost said:
> >
> > >> -----Original Message-----
> > >> From: Alexander Gall [
	    
	    

]
> > >> Sent: 25 November 2005 11:48
> > >> To: Brett Carr
> > >> > >> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
> >
> > [...]
> >
> > >>
> > >> However, I think there is a problem with ns.ripe.net.  It doesn't
> > >> return DNSSEC RRsets when the DO flag is set in the query:
> > >>
> >
> > [...]
> >
> > > I found a small config typo, which I have fixed, it should
> > be ok now though.
> >
> > Thanks, it looks good now.
> >
> > Did you have a chance to look (or have somebody else have a
> > look :-) at
> > <https://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi> for the
> > zone 176.195.in-addr.arpa?  I can see two problems:
> >
> > - For some reason, the tool doesn't get replies to queries for NS and
> >   DNSKEY records at our name servers {merapi,scsnms}.switch.ch with
> >   the DO flag set.  The tool then (erroneously) concludes that these
> >   RRsets are inconsistent among the servers for the zone.
> >
> >   I see the queries coming in on our servers from 193.0.0.214.  Could
> >   it be that the replies are filtered somwhere in your network (having
> >   strange flags and all that)?
>
>
> We have now fixed this after finding some strange (udp fragment) filtering
> behaviour on our Juniper router, We will be carrying out more (lab based)
> tests on this and will report the results to Juniper.
>
> Regards
>
> Brett
>
> --
> Brett Carr                              RIPE Network Coordination Centre
> Systems Engineer -- Operations Group    Amsterdam, Netherlands
> GPG Key fingerprint = F20D B2A7 C91D E370 44CF  F244 B6A1 EF48 E743 F7D8
>
>
>
>
> --__--__--
>
> Message: 3
> From: Alexander Gall gall@localhost
> Date: Wed, 30 Nov 2005 08:59:37 +0100
> To: "Brett Carr" brettcarr@localhost
>
> Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
>
> On Tue, 29 Nov 2005 16:38:58 +0100, "Brett Carr" brettcarr@localhost said:
>
> >> Did you have a chance to look (or have somebody else have a
> >> look :-) at
> >> <https://www.ripe.net/cgi-bin/delcheck/delcheck2.cgi> for the
> >> zone 176.195.in-addr.arpa?  I can see two problems:
> >>
> >> - For some reason, the tool doesn't get replies to queries for NS and
> >> DNSKEY records at our name servers {merapi,scsnms}.switch.ch with
> >> the DO flag set.  The tool then (erroneously) concludes that these
> >> RRsets are inconsistent among the servers for the zone.
> >>
> >> I see the queries coming in on our servers from 193.0.0.214.  Could
> >> it be that the replies are filtered somwhere in your network (having
> >> strange flags and all that)?
>
>
> > We have now fixed this after finding some strange (udp fragment) filtering
> > behaviour on our Juniper router, We will be carrying out more (lab based)
> > tests on this and will report the results to Juniper.
>
> Thanks!
>
> --
> Alex
>
>
>
>
> End of dns-wg Digest
>
Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community