From olaf at ripe.net  Mon Nov  1 16:38:46 2004
From: olaf at ripe.net (Olaf M. Kolkman)
Date: Mon, 1 Nov 2004 16:38:46 +0100
Subject: [dns-wg] ripe policy about reverse dns?
In-Reply-To: <20041028160755.GT2947@narya.grin.hu>
References: <20041028160755.GT2947@narya.grin.hu>
Message-ID: <20041101163846.26061773.olaf@ripe.net>



Peter Gervai <grin at grin.hu> wrote:
> I tend to remember that RIPE had a strict policy about delegated address
> space reverse DNS: adresses must have a valid reverse and delegated (sub)
> blocks must be registered in RIPE db. I wanted to refer to the document
> mentioning these requirements but I was not able to find them. 


Hello Peter,


The reverse delegation policy is documented in:
           http://www.ripe.net/ripe/docs/rev-del.html

There is _no_ wording about the RIPE NCC requiring reverse delegation to
be set up by the LIR or by the end users. 


I reckon that the language you tend to remember is from the RIPE 244
(obsoleted) section 5.0: "LIRs should provide reverse delegation
corresponding to an assignment during the complete validity period of
the assignment."

I hope this answers your query.

Kind regards,

-- Olaf Kolkman
   RIPE NCC.

PS. "Encouraging the use of DNS IN-ADDR Mapping" by D. Senie
might be relevant. That draft is currently discussed in the IETF DNSOP
working group, the most recent revision can be found at:
http://www.senie.com/dan/draft-ietf-dnsop-inaddr-required.txt 





---------------------------------| Olaf M. Kolkman
---------------------------------| RIPE NCC



From Ganesh.Natarajan at wipro.com  Mon Nov 22 17:56:13 2004
From: Ganesh.Natarajan at wipro.com (Natarajan,Ganesh)
Date: Mon, 22 Nov 2004 22:26:13 +0530
Subject: [dns-wg] Query on Resolver w.r.t DNSSEC
Message-ID: <E897E218557DD811812200508B0F3002EBCA9F@wipro-exmbx1.wipro.tcpn.com>


 
Hi ,
            I am Ganesh and I work for wipro. We are currently working on
porting DNS BIND 4.8 
to DNS BIND 9.2.3. My platform is HP-Nonstop servers. I have a specific
query regarding the
role of resolver library in DNSSEC.
 
Query:
Does DNS BIND 9.2.3 support caching and verification of RRs (resourse
records)
 on the resolver library part by default?
 
We are trying to port 4.8 resolver code to 9.2.3 resolver code. Since Our
platfrom doesn't 
support OPenssl, we are trying to lookout for this option. we wanted to
know,
whether by default any authentication is enabled at the resolver part in
BIND 9.2.3. 
We understand that RFC2535 states CD and AD bit. If CD bit is set, then
resolver
doesn't do auth and integrity tests. Is this CD bit disabled or enabled in
BIND 9.2.3?
 
To reiterate the whole question again, we wanted to know the role of
resolver with respect
to DNSSEC in BIND 9.2.3!
 
Since, we are pretty new to DNSSEC, we need your valuable inputs on the
above query.
 
 
regards,
Ganesh.
 
 




Confidentiality Notice 

The information contained in this electronic message and any attachments to this message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged information. If
you are not the intended recipient, please notify the sender at Wipro or Mailadmin at wipro.com immediately
and destroy all copies of this message and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/dns-wg/attachments/20041122/f5e9bb5f/attachment.html>

From jaap at NLnetLabs.nl  Tue Nov 23 15:10:17 2004
From: jaap at NLnetLabs.nl (Jaap Akkerhuis)
Date: Tue, 23 Nov 2004 15:10:17 +0100
Subject: [dns-wg] Query on Resolver w.r.t DNSSEC 
In-Reply-To: Your message of Mon, 22 Nov 2004 22:26:13 +0530.
             <E897E218557DD811812200508B0F3002EBCA9F@wipro-exmbx1.wipro.tcpn.com> 
Message-ID: <200411231410.iANEAHh3074886@open.nlnetlabs.nl>

This group is not bound bind specifiaclly but let me try ti answer
anyway.


    I am Ganesh and I work for wipro. We are currently working on
    porting DNS BIND 4.8 to DNS BIND 9.2.3. My platform is HP-Nonstop
    servers. I have a specific query regarding the role of resolver
    library in DNSSEC.
     
    Query:
    Does DNS BIND 9.2.3 support caching and verification of RRs
    (resourse records) on the resolver library part by default?
     
    We are trying to port 4.8 resolver code to 9.2.3 resolver code.
    Since Our platfrom doesn't support OPenssl, we are trying to
    lookout for this option. we wanted to know, whether by default
    any authentication is enabled at the resolver part in BIND
    9.2.3.

If I understand it peoperly, you platform doesn't has OpenSSL and
therefore bind 9 wo'n compile and therefore you want to port the
bind 4.8 resolver into bind 9.

The internal structureof bind9 is completely different then bind
8, to merge parts of both, will be hopeless affaire. Earlier versions
of bind9 is didn't support DBSSEC by default so could be compiled
without openssl support. You might want to ask the bind developpers
whether it is still possible to comile with the --enable-dnssec=NO
flag set (or whatever the flag to configure is).

A quick search for OpenSSL on the HP NON STOP dhos two announcement
(July Update.pdf, September.pdf) about the availabilaty of OpenSSL
in some form.

	jaap



From weiler at tislabs.com  Tue Nov 23 15:10:22 2004
From: weiler at tislabs.com (Samuel Weiler)
Date: Tue, 23 Nov 2004 09:10:22 -0500 (EST)
Subject: [dns-wg] Query on Resolver w.r.t DNSSEC
In-Reply-To: <E897E218557DD811812200508B0F3002EBCA9F@wipro-exmbx1.wipro.tcpn.com>
References: <E897E218557DD811812200508B0F3002EBCA9F@wipro-exmbx1.wipro.tcpn.com>
Message-ID: <Pine.GSO.4.55.0411230812460.1443@filbert>

On Mon, 22 Nov 2004, Natarajan,Ganesh wrote:

> Does DNS BIND 9.2.3 support caching and verification of RRs
> (resourse records) on the resolver library part by default?

RFC2535 is being obsoleted -- three replacement documents are in the
RFC Editor queue right now.  The changes between 2535-DNSSEC and
DNSSECbis are substantial and incompatible.  Only BIND 9.3.0 and later
support these recent changes, and it's expected that 2535-DNSSEC is
dead.  While 9.2.3 does have a DNSSEC validator, it's pretty useless
-- if you want DNSSEC, you need to use more modern code.

> we wanted to know, whether by default any authentication is enabled
> at the resolver part in BIND 9.2.3.

No.  9.2.3 has a compile-time option for enabling DNSSEC support in
the code.  Even if the features are enabled, no validation is done
unless trust anchors are defined (via the trusted-keys config line).

> Is this CD bit disabled or enabled in BIND 9.2.3?

BIND 9.2.3, as a recursive resolver, will not issue queries with the
CD bit set (unless it gets queries with the CD bit set).  That means
that any upstream resolvers that are doing DNSSEC validation will
still do it.  As above, the BIND 9.2.3 code won't do validation unless
the DNSSEC code is enabled and at least one trust anchor is
configured.

-- Sam



From brian.wilkinson at bt.com  Tue Nov 30 18:31:27 2004
From: brian.wilkinson at bt.com (brian.wilkinson at bt.com)
Date: Tue, 30 Nov 2004 17:31:27 -0000
Subject: [dns-wg] Matching forward and reverse DNS for DSL pool addresses
Message-ID: <C9E6B521D549194C8D3FAB7A7B9A80CC0931EDAE@i2km41-ukdy.domain1.systemhost.net>

Can anyone confirm whether DSL (and dial) providers are required to provide matching forward and reverse DNS for the address pools or is a wildcard in the reverse zones sufficient?

Regards

Brian Wilkinson