[dns-wg] unsubscribe jkuijer at dds.nl
- Previous message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- Next message (by thread): [dns-wg] unsubscribe jkuijer at dds.nl
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
jkuijer at dds.nl
jkuijer at dds.nl
Tue Nov 29 12:24:05 CET 2005
Citeren dns-wg-request at ripe.net: > Send dns-wg mailing list submissions to > dns-wg at ripe.net > > To subscribe or unsubscribe via the World Wide Web, visit > http://www.ripe.net/mailman/listinfo/dns-wg > or, via email, send a message with subject or body 'help' to > dns-wg-request at ripe.net > > You can reach the person managing the list at > dns-wg-admin at ripe.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of dns-wg digest..." > > > Today's Topics: > > 1. RE: RIPE NCC DNSSEC on the reverse tree update. (Alexander Gall) > 2. RE: RIPE NCC DNSSEC on the reverse tree update. (Randy Bush) > > --__--__-- > > Message: 1 > From: Alexander Gall <gall at switch.ch> > Date: Mon, 28 Nov 2005 12:02:49 +0100 > To: "Brett Carr" <brettcarr at ripe.net> > Cc: <dns-wg at ripe.net> > Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. > > On Mon, 28 Nov 2005 11:24:45 +0100, "Brett Carr" <brettcarr at ripe.net> said: > > >> -----Original Message----- > >> From: Alexander Gall [mailto:gall at switch.ch] > >> Sent: 28 November 2005 08:47 > >> To: Brett Carr > >> Cc: dns-wg at ripe.net > >> Subject: Re: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. > >> > >> Brett, > >> > >> What's going on with 195.in-addr.arpa? All DNSSEC records > >> are gone, e.g. > >> > > > We saw some zone file corruption during the early hours of the morning, > this > > caused a failsafe operation to takeover and hence the zones were published > > without signatures. I've investigated and fixed the corruption and so now > > everything is back to normal. > > Thanks. Having such a failsafe procedure is probably a good idea. > However, it caused my sub-zone to be marked as bogus, which is bad > (i.e. my cache with only the key for 195.in-addr.arpa configured as > trusted key returned SERVFAIL for all queries within > 176.195.in-addr.arpa). I think that you must not leave the DS records > in the zone when all other DNSSEC RRsets are removed (and the DS > record for my zone was definitely there). Otherwise, a verifier will > find a DS record but is unable to check its authenticity and has to > declare the zone as bogus. > > -- > Alex > > > > --__--__-- > > Message: 2 > From: Randy Bush <randy at psg.com> > Date: Mon, 28 Nov 2005 06:01:50 -1000 > To: "Brett Carr" <brettcarr at ripe.net> > Cc: dns-wg at ripe.net > Subject: RE: [dns-wg] RIPE NCC DNSSEC on the reverse tree update. > > > We saw some zone file corruption during the early hours of the > > morning, this caused a failsafe operation to takeover and hence > > the zones were published without signatures. > > considering the obvious attack paths this opens, one assumes that > this 'failsafe' would not be part of the operation of a secure > zone in normal, as opposed to trial, operation. > > randy > > > > > End of dns-wg Digest >
- Previous message (by thread): [dns-wg] RIPE NCC DNSSEC on the reverse tree update.
- Next message (by thread): [dns-wg] unsubscribe jkuijer at dds.nl
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]