About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [dns-wg] Just another lookaside zone

  • To: Lutz Donnerhacke lutz@localhost
  • From: Alexander Gall gall@localhost
  • Date: Wed, 8 Feb 2006 12:05:45 +0100
  • Newsgroups: iks.lists.ripe.dns-wg
On Tue, 7 Feb 2006 17:13:56 +0000 (UTC), Lutz Donnerhacke lutz@localhost said:

> * Lutz Donnerhacke wrote:
>> I did not manage to install a web form right now. If you like to
>> get listed, please send me an email.

> Webform including some statistics is online:
>   https://www.iks-jena.de/leistungen/dnssec.php

I have several questions:

Why do you include DLV Records for Zones that are below a secure entry
point (those you call "chained")?  They will never be used unless the
parent zones become insecure.

What exactly does "DNSKEY unchecked, DSSET given" mean?  I suppose
that you have received the DSSET by the maintainer of the zone through
an authenticated channel (if not, you shouldn't add the DLV record at
all).  Why doesn't that make it a secure entry point and why should
you "check" the DNSKEY?

Why do you include DLV records for zones that you know are broken?

Obviously, this classification has no meaning for a resolver that does
lookaside validation.  All DLV Records in this zone must have been
authenticated by you (and we all trust you, of course :-), or the
scheme is useless.

Or am I missing the point and this zone should be used as a repository
for secure entry points from which one creates local trusted keys
rather than use it as a true lookaside zone?

Personally, I have come to the conclusion that I don't like it at all
that my cache considers the entire DNS bogus when the DLV zone becomes
unreachable or corrupted.  I'll stick to my locally configured trusted
keys and wait for the root to be signed.

BTW, there are some nasty bugs in the DLV implementation in BIND up to
9.3.2 (e.g. see what happens when you corrupt the trusted key of your
DLV zone, but don't do it on your production server :-)  I've been
told that it has been improved a lot for 9.4 and these changes will be
backported to 9.3.3.

>> I'm looking for a *stable* ipv6 and dnssec able secondary server
>> for our zones.  If you like to exchange secondary DNS service in
>> different AS, please contact me via OpenPGP mail.

> Problem solved. Half a day after this message, Cable & Wireless announced,
> that the switched there DNS infrastructure (at least for secondaries) to
> DNSSEC. Great!

Cool.  In case you still need secondaries, I can offer two in
Switzerland with excellent IPv6 connectivity :-)

--
Alex
Post To The List:

Replies

Message References

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community