From pk at DENIC.DE Wed Jul 4 10:59:44 2007 From: pk at DENIC.DE (Peter Koch) Date: Wed, 4 Jul 2007 10:59:44 +0200 Subject: [dns-wg] DRAFT RIPE 54 DNS WG Minutes posted Message-ID: <20070704085944.GC2438@unknown.office.denic.de> Dear WG, with apologies for the delay and many thanks to Adrian Bedford, who delivered them on time, the draft minutes for the Tallinn meeting are now available at Please send in comments and/or corrections by Friday, 2007-08-03, after which this or an amended version will be considered final. -Peter From president at ukraine.su Wed Jul 4 22:22:01 2007 From: president at ukraine.su (Max Tulyev) Date: Wed, 04 Jul 2007 23:22:01 +0300 Subject: [dns-wg] IPv6 backresolve with DNSSEC Message-ID: <468C0169.3080502@ukraine.su> Hi All, I tried to create a DNSSEC signed backresolve domain for my IPv6 block: domain: 0.d.0.0.1.0.a.2.ip6.arpa descr: NetAssist LLC org: ORG-NL64-RIPE admin-c: MT6561-RIPE tech-c: MT6561-RIPE zone-c: MT6561-RIPE nserver: ns.netassist.kiev.ua nserver: ns.netassist.ru ds-rdata: 46236 5 1 B42280F344BB12FCC5030673109EF84EF2C4D3A7 mnt-by: MEREZHA-MNT mnt-lower: MEREZHA-MNT changed: support at netassist.kiev.ua 20070704 source: RIPE and it fails with: ***Error: DS records are not accepted for this zone. ***Error: RDNS Authorisation failed but without ds-rdata everything works fine. Is it a (my) bug or a feature? -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253 at FIDO) From brettcarr at ripe.net Thu Jul 5 13:17:22 2007 From: brettcarr at ripe.net (Brett Carr) Date: Thu, 5 Jul 2007 13:17:22 +0200 Subject: [dns-wg] IPv6 backresolve with DNSSEC In-Reply-To: <468C0169.3080502@ukraine.su> References: <468C0169.3080502@ukraine.su> Message-ID: <908DF5C2-1A74-40AB-A72D-CAA7D8B88C2A@ripe.net> Max, we are looking into this I will get back to you on it. Regards -- Brett Carr Manager -- DNS Services Group RIPE Network Coordination Centre Amsterdam On Jul 4, 2007, at 10:22 PM, Max Tulyev wrote: > Hi All, > > I tried to create a DNSSEC signed backresolve domain for my IPv6 > block: > > domain: 0.d.0.0.1.0.a.2.ip6.arpa > descr: NetAssist LLC > org: ORG-NL64-RIPE > admin-c: MT6561-RIPE > tech-c: MT6561-RIPE > zone-c: MT6561-RIPE > nserver: ns.netassist.kiev.ua > nserver: ns.netassist.ru > ds-rdata: 46236 5 1 B42280F344BB12FCC5030673109EF84EF2C4D3A7 > mnt-by: MEREZHA-MNT > mnt-lower: MEREZHA-MNT > changed: support at netassist.kiev.ua 20070704 > source: RIPE > > and it fails with: > > ***Error: DS records are not accepted for this zone. > > > ***Error: RDNS Authorisation failed > > but without ds-rdata everything works fine. > > Is it a (my) bug or a feature? > > -- > WBR, > Max Tulyev (MT6561-RIPE, 2:463/253 at FIDO) > From brettcarr at ripe.net Mon Jul 9 17:03:51 2007 From: brettcarr at ripe.net (Brett Carr) Date: Mon, 9 Jul 2007 17:03:51 +0200 Subject: [dns-wg] IPv6 backresolve with DNSSEC In-Reply-To: <468C0169.3080502@ukraine.su> References: <468C0169.3080502@ukraine.su> Message-ID: <2CB9CB66-1B89-4A82-81D1-39743EFEE10F@ripe.net> Max, sorry for the delay, we have now found and corrected a configuration error in our provisioning system. If you would care to resubmit your object containing the DS record it should now work without any problems. Regards Brett -- Brett Carr Manager -- DNS Services Group RIPE Network Coordination Centre Amsterdam On Jul 4, 2007, at 10:22 PM, Max Tulyev wrote: > Hi All, > > I tried to create a DNSSEC signed backresolve domain for my IPv6 > block: > > domain: 0.d.0.0.1.0.a.2.ip6.arpa > descr: NetAssist LLC > org: ORG-NL64-RIPE > admin-c: MT6561-RIPE > tech-c: MT6561-RIPE > zone-c: MT6561-RIPE > nserver: ns.netassist.kiev.ua > nserver: ns.netassist.ru > ds-rdata: 46236 5 1 B42280F344BB12FCC5030673109EF84EF2C4D3A7 > mnt-by: MEREZHA-MNT > mnt-lower: MEREZHA-MNT > changed: support at netassist.kiev.ua 20070704 > source: RIPE > > and it fails with: > > ***Error: DS records are not accepted for this zone. > > > ***Error: RDNS Authorisation failed > > but without ds-rdata everything works fine. > > Is it a (my) bug or a feature? > > -- > WBR, > Max Tulyev (MT6561-RIPE, 2:463/253 at FIDO) > -- Brett Carr Manager -- DNS Services Group RIPE Network Coordination Centre Amsterdam From president at ukraine.su Mon Jul 9 21:15:41 2007 From: president at ukraine.su (Max Tulyev) Date: Mon, 09 Jul 2007 22:15:41 +0300 Subject: [dns-wg] IPv6 backresolve with DNSSEC In-Reply-To: <2CB9CB66-1B89-4A82-81D1-39743EFEE10F@ripe.net> References: <468C0169.3080502@ukraine.su> <2CB9CB66-1B89-4A82-81D1-39743EFEE10F@ripe.net> Message-ID: <4692895D.7060609@ukraine.su> Brett, Thank you! It is fine now, and domain was just delegated with DNSSEC! Brett Carr wrote: > Max, > sorry for the delay, we have now found and corrected a configuration > error in our provisioning system. If you would care to resubmit your > object containing the DS record it should now work without any problems. > > Regards > > Brett > > > -- > Brett Carr > Manager -- DNS Services Group > RIPE Network Coordination Centre > Amsterdam > > > On Jul 4, 2007, at 10:22 PM, Max Tulyev wrote: > >> Hi All, >> >> I tried to create a DNSSEC signed backresolve domain for my IPv6 block: >> >> domain: 0.d.0.0.1.0.a.2.ip6.arpa >> descr: NetAssist LLC >> org: ORG-NL64-RIPE >> admin-c: MT6561-RIPE >> tech-c: MT6561-RIPE >> zone-c: MT6561-RIPE >> nserver: ns.netassist.kiev.ua >> nserver: ns.netassist.ru >> ds-rdata: 46236 5 1 B42280F344BB12FCC5030673109EF84EF2C4D3A7 >> mnt-by: MEREZHA-MNT >> mnt-lower: MEREZHA-MNT >> changed: support at netassist.kiev.ua 20070704 >> source: RIPE >> >> and it fails with: >> >> ***Error: DS records are not accepted for this zone. >> >> >> ***Error: RDNS Authorisation failed >> >> but without ds-rdata everything works fine. >> >> Is it a (my) bug or a feature? >> >> --WBR, >> Max Tulyev (MT6561-RIPE, 2:463/253 at FIDO) >> > > -- > Brett Carr > Manager -- DNS Services Group > RIPE Network Coordination Centre > Amsterdam > > > -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253 at FIDO) From jaap at NLnetLabs.nl Tue Jul 24 21:18:26 2007 From: jaap at NLnetLabs.nl (Jaap Akkerhuis) Date: Tue, 24 Jul 2007 21:18:26 +0200 Subject: [dns-wg] RIPE-55 coming up Message-ID: <200707241918.l6OJIQRl015582@bartok.nlnetlabs.nl> Yes, I know it will be October but these things have a habbit of sneaking up on you before you know it. Therefore, now is the time not only for vacation but also to spend some thought about contributions to the dns-wg or suggestions for topics. jaap From pk at DENIC.DE Thu Jul 26 20:21:25 2007 From: pk at DENIC.DE (Peter Koch) Date: Thu, 26 Jul 2007 20:21:25 +0200 Subject: [dns-wg] DRAFT RIPE 54 DNS WG Minutes posted In-Reply-To: <20070704085944.GC2438@unknown.office.denic.de> References: <20070704085944.GC2438@unknown.office.denic.de> Message-ID: <20070726182125.GB553@denics7.denic.de> Dear WG, > [...] the draft minutes for the Tallinn meeting > are now available at > > Please send in comments and/or corrections by Friday, 2007-08-03, > after which this or an amended version will be considered final. haven't seen any comments on the minutes so far, so this is just a reminder for next week's deadline. -Peter From Holger.Zuleger at hznet.de Fri Jul 27 16:12:11 2007 From: Holger.Zuleger at hznet.de (Holger Zuleger) Date: Fri, 27 Jul 2007 16:12:11 +0200 Subject: [dns-wg] DRAFT RIPE 54 DNS WG Minutes posted In-Reply-To: <20070726182125.GB553@denics7.denic.de> References: <20070704085944.GC2438@unknown.office.denic.de> <20070726182125.GB553@denics7.denic.de> Message-ID: <46A9FD3B.4030209@hznet.de> Hi Peter, I am very interested in joining the task force, and thought that I already volunteered by email (Send to the dns-wg chairs May 13, 2007). Maybe the email was stuck in the bunch of other mails. Holger Peter Koch wrote: > Dear WG, > >> [...] the draft minutes for the Tallinn meeting >> are now available at >> >> Please send in comments and/or corrections by Friday, 2007-08-03, >> after which this or an amended version will be considered final. > > haven't seen any comments on the minutes so far, so this is just a reminder > for next week's deadline. > > -Peter > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4870 bytes Desc: S/MIME Cryptographic Signature URL: From jim at rfc1035.com Fri Jul 27 18:24:28 2007 From: jim at rfc1035.com (Jim Reid) Date: Fri, 27 Jul 2007 17:24:28 +0100 Subject: [dns-wg] DRAFT RIPE 54 DNS WG Minutes posted In-Reply-To: <46A9FD3B.4030209@hznet.de> References: <20070704085944.GC2438@unknown.office.denic.de> <20070726182125.GB553@denics7.denic.de> <46A9FD3B.4030209@hznet.de> Message-ID: <1366DCA4-7B3A-4751-A00B-F61DF099FB3D@rfc1035.com> On Jul 27, 2007, at 15:12, Holger Zuleger wrote: > I am very interested in joining the task force, and thought that I > already volunteered by email (Send to the dns-wg chairs May 13, 2007). You have. But that was after the WG meeting in Tallinn. The WG minutes reflect what happened at RIPE54. You didn't volunteer until after the RIPE meeting, so your kind offer to participate in the task force can't be recorded in the WG minutes. :-) > Maybe the email was stuck in the bunch of other mails. Nope. I'm chasing the NCC about the logistics of getting the task force established -- web pages, wikis?, mailing list, etc. Watch this space Holger. From Holger.Zuleger at hznet.de Fri Jul 27 23:51:31 2007 From: Holger.Zuleger at hznet.de (Holger Zuleger) Date: Fri, 27 Jul 2007 23:51:31 +0200 Subject: [dns-wg] DRAFT RIPE 54 DNS WG Minutes posted In-Reply-To: <1366DCA4-7B3A-4751-A00B-F61DF099FB3D@rfc1035.com> References: <20070704085944.GC2438@unknown.office.denic.de> <20070726182125.GB553@denics7.denic.de> <46A9FD3B.4030209@hznet.de> <1366DCA4-7B3A-4751-A00B-F61DF099FB3D@rfc1035.com> Message-ID: <46AA68E3.2000102@hznet.de> Hi Jim, >> I am very interested in joining the task force, and thought that I >> already volunteered by email (Send to the dns-wg chairs May 13, 2007). > > You have. But that was after the WG meeting in Tallinn. The WG minutes > reflect what happened at RIPE54. You didn't volunteer until after the > RIPE meeting, so your kind offer to participate in the task force can't > be recorded in the WG minutes. :-) Oops. I have written the email during the second dns-wg session, just before I have had hurry up to get my flight back... Seems to be that I made a typo above. :-( > > I'm chasing the NCC about the logistics of getting the task force > established -- web pages, wikis?, mailing list, etc. Watch this space > Holger. Great! Thank you very mutch for the info. Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4870 bytes Desc: S/MIME Cryptographic Signature URL: From pk at DENIC.DE Tue Jul 31 06:47:18 2007 From: pk at DENIC.DE (Peter Koch) Date: Tue, 31 Jul 2007 06:47:18 +0200 Subject: [dns-wg] Last Call: Secondary service on ns.ripe.net for reverse delegations Message-ID: <20070731044718.GA7358@denics7.denic.de> Dear WG, at the Tallinn meeting, Brett Carr gave a presentation on DNS operations at the RIPE NCC. In his report a proposal regarding the DNS name service for /16 reverse was made. See , item [D] for the minutes and slide 12 of the presentation for details. This resulted in action item 54.1 on the NCC to solicit feedback on the proposal. Brett started a thread on the DNS WG mailing list on May, 14th (Message-ID: <4A6256C3-97B5-4415-BC93-9A2978A01A20 at ripe.net>). Summary: To eliminate an inconsistency between IPv4 and IPv6 policies, where /16 reverse on ns.ripe.net is mandatory for v4 and there's no such policy for v6, three options were given: 1) Make ns.ripe.net mandatory on ipv4 and ipv6 delegations 2) Make ns.ripe.net optional on ipv4 and ipv6 delegations 3) Discontinue the secondary service on ns.ripe.net for new delegations. The NCC's preference was (2). The thread started as mentioned above saw 8 replies until June. Those who expressed an opinion were in favour of going forward with (2). Since the thread hasn't been active for a while, the WG chairs would like to issue a Last Call on this topic. Please take these remarks into consideration: o While cost of service has been mentioned, detailed discussion would be a topic for the NCC Services WG. For now we assume that the cost structure (essentially: no additional cost) will remain unmodified. o When the secondary service is "optional" this should be read in a symmetric way, i.e. not only the /16 maintainer can choose to opt-out, but also the NCC could, on reasonable operational grounds, terminate or not activate support for a particular zone. Now, finally, even though this issue is not subject to the PDP, this is a Last Call until Friday, 31 August 2007, 12:00 UTC Please voice your opinion, the default will be to continue with (2) above. We'd like to ask the NCC to prepare an implementation plan after this date. -Peter Koch [DNS WG co-chair]