From gall at switch.ch Thu Dec 13 09:52:30 2007 From: gall at switch.ch (Alexander Gall) Date: Thu, 13 Dec 2007 09:52:30 +0100 Subject: [dns-wg] Bad secure delegation of ris.ripe.net Message-ID: <18272.62158.46370.215484@hadron.switch.ch> Hello DISI The zone ris.ripe.net is bogus. It appears that the DS RR doesn't match the KSK DNSKEY RR. ripe.net is fine (with the newest trust anchors). According to drill: : gall at hadron[gall]; cat /tmp/ripe.key ripe.net. IN DNSKEY 257 3 5 AwEAAZ+vLzvkn0wkjcSmpoZRIOU0Suaw1EegrH9T0vwGOG9EbdgBYs6p 1lyjy2aHfZ4EnhVVVsElpSMBFzKItwzJeR9jxZC23dHw57saKC6enu7K K0m3fUQagzHqcu5RKn/T+0w1Q51UTdsLiBfCpqzQ10+T1oRxCXYWOyIi jApUQCFvybf1U6S/7lOLagzzoSU6lzxcUivWxLEM0SbzYIoV1OWXIjnj X/7/ChvZPqr01iY9th4nXlK52Da0mPaPbunLF353s4LQ6CsmcFG3zCfg 6iYRugF/NE1uMbdpzsff7nV1/K4PdSJjLt/AKsofQbbca8zH6YEolTcA T8o18/H13jE= : gall at hadron[gall]; drill -S -k /tmp/ripe.key ripe.net. soa | tail -5 DNSSEC Trust tree: ripe.net. (SOA) |---ripe.net. (DNSKEY keytag: 62805) |---ripe.net. (DNSKEY keytag: 21238) ;; Chase successful : gall at hadron[gall]; drill -S -k /tmp/ripe.key ris.ripe.net. soa | tail -5 ris.ripe.net. (SOA) |---ris.ripe.net. (DNSKEY keytag: 51156) |---ris.ripe.net. (DNSKEY keytag: 21022) No trusted keys found in tree: first error was: No DNSSEC public key(s) ;; Chase failed. The keytag of the DS record is 56179 : gall at hadron[unbound]; dig ris.ripe.net. ds +short 56179 5 1 B8F1169306DA0679416580D5AC3F43572B3318B6 -- Alex From sjoerdoo at ripe.net Thu Dec 13 12:12:18 2007 From: sjoerdoo at ripe.net (Sjoerd Oostdijck) Date: Thu, 13 Dec 2007 12:12:18 +0100 Subject: [dns-wg] Bad secure delegation of ris.ripe.net In-Reply-To: <18272.62158.46370.215484@hadron.switch.ch> References: <18272.62158.46370.215484@hadron.switch.ch> Message-ID: <47611392.4070805@ripe.net> Alexander Gall wrote: > Hello DISI > > The zone ris.ripe.net is bogus. It appears that the DS RR doesn't > match the KSK DNSKEY RR. ripe.net is fine (with the newest trust > anchors). According to drill: > > Dear mr Gall and mailing list, Due to human error on our side the DS records were not updated when we introduced new keys 3 months ago. When we removed the old keys yesterday the DS records stopped working. I fixed the DS records this morning around 10:40 CET so things should be back up and working as soon as the zone is reloaded on your nameserver or the TTL expires. Kind regards, -- Sjoerd Oostdijck -- DNS Services group Ripe NCC -- Singel 258 Amsterdam NL From barbara.roseman at icann.org Mon Dec 31 19:05:55 2007 From: barbara.roseman at icann.org (Barbara Roseman) Date: Mon, 31 Dec 2007 10:05:55 -0800 Subject: [dns-wg] AAAA records to be added for root servers Message-ID: <49878589-D2C2-485F-98D2-4A57127CFDFB@icann.org> apologies for cross-posting... On 4 February 2008, IANA will add AAAA records for the IPv6 addresses of the four root servers whose operators have requested it. A technical analysis of inserting IPv6 records into the root has been done by a joint working group of ICANN's Root Server System Advisory Committee and Security and Stability Advisory Committee, a report of which can be found at http://www.icann.org/committees/security/ sac018.pdf. Network operators should take whatever steps they feel appropriate to prepare for the inclusion of AAAA records in response to root queries. More information will be posted to the IANA web site during January. Regards, Barbara Roseman IANA General OperationsManager ICANN