From brettcarr at ripe.net Tue Apr 4 16:43:40 2006 From: brettcarr at ripe.net (Brett Carr) Date: Tue, 4 Apr 2006 16:43:40 +0200 Subject: [dns-wg] RIPE NCC DNSSEC Key Rollover Message-ID: <20060404144137.864052F595@herring.ripe.net> [Apologies for Duplicates] Dear Colleagues, The RIPE NCC changes the Key Signing Keys (KSKs) for its signed zones twice each year. We have today published new keys for all zones. Old keys will continue to function until the second stage of the rollover on 3 July 2006. We recommend that you reconfigure any resolvers to use the new keys before then. You can download them from: https://test-www.ripe.net/projects/disi//keys/ripe-ncc-dnssec-keys-new.txt The DNSSEC Key Maintenance Procedure is available at: https://test-www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html If you have any questions about this, please send an e-mail to . Regards, Brett Carr RIPE NCC From brettcarr at ripe.net Tue Apr 4 16:51:43 2006 From: brettcarr at ripe.net (Brett Carr) Date: Tue, 4 Apr 2006 16:51:43 +0200 Subject: [dns-wg] RIPE NCC DNSSEC Key Rollover In-Reply-To: <20060404144137.864052F595@herring.ripe.net> Message-ID: <20060404144940.9811F2F595@herring.ripe.net> > Dear Colleagues, > > The RIPE NCC changes the Key Signing Keys (KSKs) for its > signed zones twice each year. We have today published new > keys for all zones. Old keys will continue to function until > the second stage of the rollover on 3 July 2006. > > We recommend that you reconfigure any resolvers to use the > new keys before then. You can download them from: > https://test-www.ripe.net/projects/disi//keys/ripe-ncc-dnssec- > keys-new.txt > > The DNSSEC Key Maintenance Procedure is available at: > https://test-www.ripe.net/rs/reverse/dnssec/key-maintenance-pr > ocedure.html > > If you have any questions about this, please send an e-mail > to .> And of course no matter how many times you read through an e-mail before you send it to make sure you don't make a mistake, well you.. make a mistake. Now with the correct url's Dear Colleagues, The RIPE NCC changes the Key Signing Keys (KSKs) for its signed zones twice each year. We have today published new keys for all zones. Old keys will continue to function until the second stage of the rollover on 3 July 2006. We recommend that you reconfigure any resolvers to use the new keys before then. You can download them from: https://www.ripe.net/projects/disi//keys/ripe-ncc-dnssec-keys-new.txt The DNSSEC Key Maintenance Procedure is available at: https://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html If you have any questions about this, please send an e-mail to . Regards, Brett Carr RIPE NCC From president at ukraine.su Thu Apr 6 17:48:54 2006 From: president at ukraine.su (Max Tulyev) Date: Thu, 6 Apr 2006 19:48:54 +0400 Subject: [dns-wg] .RU signed Message-ID: <200604061948.54666.president@ukraine.su> Hi! May be a bit offtopic here, but could be interesting ;) .RU now have a DNSSEC signed view as well as secure delegations. Details are on the http://www.dnssec.ru/ Now it is beta stage. Any comments/suggestion are wellcome. BIG THANKS to RIPE and especially RIPE NCC DNS/DNSSEC training courses that explained me DNSSEC infrastructure and give me an idea to make DNSSEC signed .RU domain! -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253 at FIDO) From pk at DENIC.DE Thu Apr 13 17:10:33 2006 From: pk at DENIC.DE (Peter Koch) Date: Thu, 13 Apr 2006 17:10:33 +0200 Subject: [dns-wg] DRAFT Meeting Agenda for RIPE 52 Message-ID: <20060413151033.GC9695@denics7.denic.de> Dear WG, find below the draft agenda for our two sessions during the upcoming meeting in Istanbul. Please send comments to the chairs. -Peter # $Id: RIPE52agenda,v 1.5 2006/04/13 15:06:05 pk Exp $ ############################################################################# D R A F T ############################################################################# DNS-related presentations in the EOF/plenary: TUE, 2006-04-25: Reflector Attacks Using DNS Infrastructure (Joao Damas) DNS amplification attacks (Matsuzaki Yoshinobu) Security Issues in ENUM (Gerhard Schr?der) WED, 2006-04-26: Perils of Transitive Trust in the Domain Name System (Emin Gun Sirer) The Impact of anycast on Root DNS Servers. The Case of K-root (Lorenzo Colitti) DNS in Turkey (Attila Ozgit) ############################################################################# 2006-04-27 1100 - 1230, DNS WG slot I [90 min] ############################################################################# 0) Administrivia [chairs][ 5 min] - scribe, jabber, minutes - agenda bashing 1) Status Reports [][25 min] - IETF dnsext, dnsop and others [Olaf Kolkman][18 min] - IANA Overview [David Conrad][ 7 min] 2) DNSSEC Status and Deployment Reports [][20 min] - SE Experiences [][] - DNSSEC Deployment WG [][] - News/Statistics from the NCC [][] - Other 3) Action Item Review [chairs][10 min] 48.1 48.2 49.1 49.2 51.1: see plenary presentation on K-root 51.2: see (4) 51.3: see also 51.4 51.5: see (6) 4) IP6.INT phase out [Andrei Robachevski, RIPE NCC][10 min] 5) Reverse DNS Quality [Brian Riddle, RIPE NCC][10 min] 6) Proposal to bring ENUM Zone Management in line with the Reverse DNS [N.N., RIPE NCC][10 min] ############################################################################# 2006-04-27 1600 - 1700, DNS WG slot II [60 min] ############################################################################# 7) Plenaries Followup [chairs][15 min] Discussion of details postponed from plenary presentations (see above), including identification of potential work for the WG 8) ICANN IDN guidelines & IDN Future [Marcos Sanz][20 min] [may also touch draft-iab-idn-nextsteps-XX.txt] 9) Nominet's Dynamic Updates [Jay Daley][15 min] X) I/O with other WGs [chairs][ 4 min] Y) A.O.B. [chairs][ 4 min] Z) Wrap-Up & Close [chairs][ 2 min] ############################################################################# From LUF at dk.ibm.com Fri Apr 14 16:11:07 2006 From: LUF at dk.ibm.com (Oluf Nielsen) Date: Fri, 14 Apr 2006 16:11:07 +0200 Subject: [dns-wg] Oluf Nielsen is out of the office. Message-ID: I will be out of the office starting 10-04-2006 and will not return until 18-04-2006. I will respond to your message when I return. From pk at DENIC.DE Thu Apr 20 13:20:48 2006 From: pk at DENIC.DE (Peter Koch) Date: Thu, 20 Apr 2006 13:20:48 +0200 Subject: [dns-wg] DRAFT DNS WG Meeting Agenda for RIPE 52 Message-ID: <20060420112048.GL1598@unknown.office.denic.de> Dear DNS WG, here's an updated draft agenda for the upcoming meetings on Thursday next week. Changes include an extra slot for discussion of K-Root anycast. DNSSEC status updates were merged into the general reports item. -Peter # $Id: RIPE52agenda,v 1.6 2006/04/20 11:14:44 pk Exp $ ############################################################################# D R A F T ############################################################################# DNS-related presentations in the EOF/plenary: TUE, 2006-04-25: Reflector Attacks Using DNS Infrastructure (Joao Damas) DNS amplification attacks (Matsuzaki Yoshinobu) Security Issues in ENUM (Gerhard Schr?der) WED, 2006-04-26: Perils of Transitive Trust in the Domain Name System (Emin Gun Sirer) The Impact of anycast on Root DNS Servers. The Case of K-root (Lorenzo Colitti) DNS in Turkey (Attila Ozgit) ############################################################################# 2006-04-27 1100 - 1230, DNS WG slot I [90 min] ############################################################################# 0) Administrivia [chairs][ 5 min] - scribe, jabber, minutes - agenda bashing 1) Status Reports [][30 min] - IETF dnsext, dnsop and others [Olaf Kolkman][18 min] - IANA Overview [David Conrad][ 7 min] - DNSSEC News/Statistics from the NCC [][ 5min] 2) Action Item Review [chairs][15 min] 48.1 48.2 49.1 49.2 51.1: see (3) and plenary presentation on K-root 51.2: see (4) 51.3: see also 51.4 51.5: see (6) 3) Anycast on K-Root [Lorenzo Colitti, RIPE NCC][10 min] 4) IP6.INT phase out [Andrei Robachevski, RIPE NCC][10 min] 5) Reverse DNS Quality [Brian Riddle, RIPE NCC][10 min] 6) Proposal to bring ENUM Zone Management in line with the Reverse DNS [N.N., RIPE NCC][10 min] ############################################################################# 2006-04-27 1600 - 1700, DNS WG slot II [60 min] ############################################################################# 7) Plenaries Followup [chairs][15 min] Discussion of details postponed from plenary presentations (see above), including identification of potential work for the WG 8) ICANN IDN guidelines & IDN Future [Marcos Sanz][20 min] [may also touch draft-iab-idn-nextsteps-05.txt] 9) Nominet's Dynamic Updates [Jay Daley][15 min] X) I/O with other WGs [chairs][ 4 min] Y) A.O.B. [chairs][ 4 min] Z) Wrap-Up & Close [chairs][ 2 min] ############################################################################# From Jim at rfc1035.com Sun Apr 30 09:46:25 2006 From: Jim at rfc1035.com (Jim Reid) Date: Sun, 30 Apr 2006 08:46:25 +0100 Subject: [dns-wg] "DNS Vulnerabilities" paper hits the mainstream Message-ID: <761A99A4-9D9B-476B-BEBC-10B7679184A5@rfc1035.com> Emin Gun Sirer's paper/presentation at RIPE52 has been picked up by the BBC: http://news.bbc.co.uk/1/hi/technology/4954208.stm Any thoughts on how to respond to that? From mansaxel at sunet.se Sun Apr 30 15:03:57 2006 From: mansaxel at sunet.se (=?UTF-8?Q?M=C3=A5ns_Nilsson?=) Date: Sun, 30 Apr 2006 15:03:57 +0200 Subject: [dns-wg] "DNS Vulnerabilities" paper hits the mainstream In-Reply-To: <761A99A4-9D9B-476B-BEBC-10B7679184A5@rfc1035.com> References: <761A99A4-9D9B-476B-BEBC-10B7679184A5@rfc1035.com> Message-ID: <830CF867F5A0D0C0DC62453E@E3993D2B0BE66833664712A4> --On den 30 april 2006 08.46.25 +0100 Jim Reid wrote: > Emin Gun Sirer's paper/presentation at RIPE52 has been picked up by the > BBC: > > http://news.bbc.co.uk/1/hi/technology/4954208.stm > > Any thoughts on how to respond to that? Not having read the BBC article, I think something along "Yes, we know. Emin's work points out some of the far-gone consequences of not paying attention. We are, however pretty convinced that: 1. The mentioned examples are extremes. Most of the namespace is in considerably better order. 2. DNS has historically been a neglected part of the quality control most web site operators perform. It simply is so redundant and ubiquitous that it not is seen as a critical part. 3. The ultimate fix for this is DNSSEC." ...or so. -- M?ns Nilsson Systems Specialist +46 70 681 7204 cell KTHNOC +46 8 790 6518 office MN1334-RIPE Inside, I'm already SOBBING! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available URL: From Jim at rfc1035.com Sun Apr 30 21:02:45 2006 From: Jim at rfc1035.com (Jim Reid) Date: Sun, 30 Apr 2006 20:02:45 +0100 Subject: [dns-wg] "DNS Vulnerabilities" paper hits the mainstream In-Reply-To: <006601c66c83$82ec5600$64c8a8c0@balefirehome> References: <761A99A4-9D9B-476B-BEBC-10B7679184A5@rfc1035.com> <006601c66c83$82ec5600$64c8a8c0@balefirehome> Message-ID: On Apr 30, 2006, at 19:25, Sander Steffann wrote: > Maybe someone 'official' should contact the BBC and try to cool > this down a bit. FWIW I have contacted the BBC asking them to present a more balanced report. I doubt anything will come of that. Even if the BBC does publish a correction it will be an uphill battle to explain the details of how DNS actually works to a puzzled BBC journalist with a deadline to meet. Niall O'Reilly said he posted something through the "have your say" feature of the BBC web site. Perhaps if others on this list did likewise.... > People might get scared :) It is good that attention is given to > the risks of badly secured DNS servers, but scaring the public like > this... Indeed. Though personally speaking, I don't accept Sirer's methodolody let alone his concluions about "vulnerabilities" or badly secured name servers. Which doesn't for a moment mean the DNS has no vulnerablities or badly secured servers. These do of course exist. Just not in the way Emil Gun Sirer has suggested. From fw at deneb.enyo.de Sun Apr 30 21:12:41 2006 From: fw at deneb.enyo.de (Florian Weimer) Date: Sun, 30 Apr 2006 21:12:41 +0200 Subject: [dns-wg] Re: [dns-operations] "DNS Vulnerabilities" paper hits the mainstream In-Reply-To: <761A99A4-9D9B-476B-BEBC-10B7679184A5@rfc1035.com> (Jim Reid's message of "Sun, 30 Apr 2006 08:46:25 +0100") References: <761A99A4-9D9B-476B-BEBC-10B7679184A5@rfc1035.com> Message-ID: <87aca298t2.fsf@mid.deneb.enyo.de> * Jim Reid: > Any thoughts on how to respond to that? It's one of those PR attacks. Potentially very costly, but since no particular product or company is targeted, no real harm is done this time. From s.steffann at computel.nl Sun Apr 30 21:17:01 2006 From: s.steffann at computel.nl (Sander Steffann) Date: Sun, 30 Apr 2006 21:17:01 +0200 Subject: [dns-wg] "DNS Vulnerabilities" paper hits the mainstream References: <761A99A4-9D9B-476B-BEBC-10B7679184A5@rfc1035.com> <006601c66c83$82ec5600$64c8a8c0@balefirehome> Message-ID: <009e01c66c8a$a95a9390$64c8a8c0@balefirehome> Hi, On Apr 30, 2006, at 19:25, Jim Reid wrote: > On Apr 30, 2006, at 19:25, Sander Steffann wrote: > [...] > >> People might get scared :) It is good that attention is given to the >> risks of badly secured DNS servers, but scaring the public like this... > > Indeed. Though personally speaking, I don't accept Sirer's methodolody > let alone his concluions about "vulnerabilities" or badly secured name > servers. Which doesn't for a moment mean the DNS has no vulnerablities or > badly secured servers. These do of course exist. Just not in the way Emil > Gun Sirer has suggested. I completely agree. I already mentioned it to some people at RIPE-52, but I forgot to mention it here. It's also on slashdot: [Perils of DNS at RIPE-52] http://it.slashdot.org/article.pl?sid=06/04/26/1247240 - Sander From paul at vix.com Sun Apr 30 18:37:24 2006 From: paul at vix.com (Paul Vixie) Date: Sun, 30 Apr 2006 16:37:24 +0000 Subject: [dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream In-Reply-To: Your message of "Sun, 30 Apr 2006 15:03:57 +0200." <830CF867F5A0D0C0DC62453E@E3993D2B0BE66833664712A4> References: <761A99A4-9D9B-476B-BEBC-10B7679184A5@rfc1035.com> <830CF867F5A0D0C0DC62453E@E3993D2B0BE66833664712A4> Message-ID: <19630.1146415044@sa.vix.com> > > http://news.bbc.co.uk/1/hi/technology/4954208.stm > > > > Any thoughts on how to respond to that? > > Not having read the BBC article, I think something along > > "Yes, we know. Emin's work points out some of the far-gone consequences > of not paying attention. We are, however pretty convinced that: > ... i think this proposed response is a fine one. if anybody here want to use the public.oarci.net CMS as a publication point for such a response, just sing out. it's possible that a longer treatment would be useful, in which case i can recommend that it be writ as an IETF BCP in the dnsop WG. From s.steffann at computel.nl Sun Apr 30 20:25:50 2006 From: s.steffann at computel.nl (Sander Steffann) Date: Sun, 30 Apr 2006 20:25:50 +0200 Subject: [dns-wg] "DNS Vulnerabilities" paper hits the mainstream References: <761A99A4-9D9B-476B-BEBC-10B7679184A5@rfc1035.com> Message-ID: <006601c66c83$82ec5600$64c8a8c0@balefirehome> Hi, > Emin Gun Sirer's paper/presentation at RIPE52 has been picked up by the > BBC: > > http://news.bbc.co.uk/1/hi/technology/4954208.stm > > Any thoughts on how to respond to that? Maybe someone 'official' should contact the BBC and try to cool this down a bit. People might get scared :) It is good that attention is given to the risks of badly secured DNS servers, but scaring the public like this... - Sander