From sjoerdoo at ripe.net Mon Sep 1 10:27:12 2008 From: sjoerdoo at ripe.net (Sjoerd Oostdijck) Date: Mon, 1 Sep 2008 10:27:12 +0200 Subject: [dns-wg] Planned maintenance on ns.ripe.net, 2 Sept. Message-ID: [Apologies for duplicate e-mails.] Dear Colleagues, On Tuesday, 2 September 2008, the RIPE NCC will perform maintenance on the ns.ripe.net server between 10:00 and 12:00 (UTC). During this period, it may not be able to answer DNS queries. The aim of this maintenance is to introduce a second server to improve performance of the system. If ns.ripe.net provides secondary DNS name service for your zone, no changes on your side will be required. During the maintenance, other servers in your NS set will take over and no downtime will be visible to the Internet. We apologise for any inconvenience this maintenance may cause. If you have any questions or concerns about this, please email dns-help at ripe.net Regards, Sjoerd Oostdijck DNS Services The RIPE NCC From training at ripe.net Mon Sep 1 11:34:28 2008 From: training at ripe.net (Training) Date: Mon, 1 Sep 2008 11:34:28 +0200 Subject: [dns-wg] ANNOUNCEMENT: RIPE NCC Training Courses Message-ID: <20080901113428.69817310@cat.ripe.net> [Apologies for duplicate e-mails] Dear Colleagues, The RIPE NCC invites you to register for one of our upcoming training courses: - The LIR Training Course This course teaches LIRs how to request Internet number resources and interact with the RIPE NCC. A course outline is available at: http://www.ripe.net/training/lir/outline.html - The Routing Registry Training Course This course teaches LIRs how to use the RIPE Database for routing. A course outline is available at: http://www.ripe.net/training/rr/outline.html - The DNS for LIRs Training Course This course teaches LIRs about the RIPE NCC's DNS-related services. A course outline is available at: http://www.ripe.net/training/dns/outline.html To see the location of upcoming courses and to register, please use the LIR Portal or complete the registration form on our website at: http://www.ripe.net/cgi-bin/trainingform.pl.cgi If you have any questions please do not hesitate to contact us at . Kind regards, Rumy Kanis Training Services Manager RIPE NCC From ondrej.sury at nic.cz Tue Sep 2 23:14:02 2008 From: ondrej.sury at nic.cz (=?UTF-8?Q?Ond=C5=99ej_Sur=C3=BD?=) Date: Tue, 2 Sep 2008 23:14:02 +0200 Subject: [dns-wg] Signed .cz zone Message-ID: Hello all, we have signed .cz on Sep 1st 2008. Key can be found at https://www.nic.cz/dnssec/ (bottom of the page). EPP interface for registering DS RRsets will be launched on Sep 30 2008. Please report any errors (hope there are none) or sugestions to my address. Regards, -- Ond?ej Sur? technick? ?editel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americk? 23,120 00 Praha 2,Czech Republic mailto:ondrej.sury at nic.cz http://nic.cz/ sip:ondrej.sury at nic.cz tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 ----------------------------------------- From wnagele at ripe.net Wed Sep 3 14:15:30 2008 From: wnagele at ripe.net (Wolfgang Nagele) Date: Wed, 03 Sep 2008 14:15:30 +0200 Subject: [dns-wg] Upgrade of the reverse DNS provisioning system at 8 September 2008, between 09:00 and 12:00 (UTC) Message-ID: <48BE7FE2.6060003@ripe.net> [Apologies for duplicate emails] Dear Colleagues, On 8 September 2008, between 09:00 and 12:00 (UTC), the RIPE NCC will upgrade the reverse DNS provisioning system. This change will enable the server ns.ripe.net to perform zone transfers over IPv6. If your reverse zone has a master server with an IPv6 address, this will be used in preference to the IPv4 address after the change. We apologise for any inconvenience this change may cause. If you have any questions or concerns about this, please email . Regards, -- Wolfgang Nagele DNS System Engineer RIPE NCC Singel 258 1016 AB Amsterdam Tel: +31 20 535 4444 Fax: +31 20 535 4445 -------------- next part -------------- A non-text attachment was scrubbed... Name: wnagele.vcf Type: text/x-vcard Size: 275 bytes Desc: not available URL: From jim at rfc1035.com Tue Sep 9 13:22:47 2008 From: jim at rfc1035.com (Jim Reid) Date: Tue, 9 Sep 2008 12:22:47 +0100 Subject: [dns-wg] Agenda items for RIPE57 Message-ID: It's that time again... The next RIPE meeting is just over 6 weeks away. So it's about time an agenda was put together for the WG sessions in Dubai. Could you please send suggestions for agenda topics and/or presentations to dns-wg-chair at ripe.net ? Thanks. From Ray.Bellis at nominet.org.uk Mon Sep 15 16:40:10 2008 From: Ray.Bellis at nominet.org.uk (Ray.Bellis at nominet.org.uk) Date: Mon, 15 Sep 2008 15:40:10 +0100 Subject: [dns-wg] Announcement: Test Report on DNSSEC impact on SOHO CPE Message-ID: [with apologies for the cross-postings to multiple lists] Dear Colleagues, We would like to announce the publication of a joint study entitled "DNSSEC Impact on Broadband Routers and Firewalls", available for download at: http://download.nominet.org.uk/dnssec-cpe/DNSSEC-CPE-Report.pdf In summary (based on 24 tested units): "... we conclude that just 6 units (25%) operate with full DNSSEC compatibility "out of the box." 9 units (37%) can be reconfigured to bypass DNS proxy incompatibilities. Unfortunately, the rest (38%) lack reconfigurable DHCP DNS parameters, making it harder for LAN clients to bypass their interference with DNSSEC use. These findings, their potential impact on DNSSEC use by broadband consumers, and implications for router/firewall manufacturers, are presented and analyzed in this report. " Ray Bellis Senior Researcher in Advanced Projects Nominet UK Lisa A. Phifer President, Core Competence, Inc. From paul at xelerance.com Tue Sep 16 19:21:51 2008 From: paul at xelerance.com (Paul Wouters) Date: Tue, 16 Sep 2008 13:21:51 -0400 (EDT) Subject: [dns-wg] Announcement: Test Report on DNSSEC impact on SOHO CPE In-Reply-To: References: Message-ID: On Mon, 15 Sep 2008, Ray.Bellis at nominet.org.uk wrote: > In summary (based on 24 tested units): > > "... we conclude that just 6 units (25%) operate with full DNSSEC > compatibility "out of the box." 9 units (37%) can be reconfigured to > bypass DNS proxy incompatibilities. Unfortunately, the rest (38%) lack > reconfigurable DHCP DNS parameters, making it harder for LAN clients to > bypass their interference with DNSSEC use. Wow. So nothing much changed in almost a year, when this issue was first found by .SE. I was hoping that modern DSL/wifi routers which supports 802.11n would have had fixed their firmware by now. > These findings, their potential impact on DNSSEC use by broadband > consumers, and implications for router/firewall manufacturers, are > presented and analyzed in this report. " The report is excellent. Thank you very much for sharing it with us. I have two questions. 1) Vendor actions What are the vendor status and/or responses? Were they contacted? did they respond? Are they planning updates? 2) base OS? Is there a similarity in these firmwares? eg are they using the same DNS software inside? Perhaps the vendors are not the people we should be talking to? For instance, many Linux based routers use the "dnsmasq" software. Depending on its status, it might be worth contacting the upstream software provider of the commercial router vendors. Paul From Ray.Bellis at nominet.org.uk Tue Sep 16 20:55:44 2008 From: Ray.Bellis at nominet.org.uk (Ray.Bellis at nominet.org.uk) Date: Tue, 16 Sep 2008 19:55:44 +0100 Subject: [dns-wg] Announcement: Test Report on DNSSEC impact on SOHO CPE In-Reply-To: Message-ID: > The report is excellent. Thank you very much for sharing it with us. You're welcome :) > I have two questions. > > 1) Vendor actions > > What are the vendor status and/or responses? Were they contacted? did they > respond? Are they planning updates? We did contact vendor technical support, in particular to determine whether any work-arounds exist on those routers that don't appear to allow the DNS settings in the DHCP server to be changed. However attempts to reach product management types to talk about implementation issues were generally fruitless. I did manage to report my findings to Zyxel UK through an existing contact, though. I'm hoping that some of the vendors will get in touch with me, now that the report is published. > 2) base OS? > > Is there a similarity in these firmwares? eg are they using the same > DNS software inside? Perhaps the vendors are not the people we should > be talking to? For instance, many Linux based routers use the "dnsmasq" > software. Depending on its status, it might be worth contacting the > upstream software provider of the commercial router vendors. We didn't see any direct evidence of shared code between vendors. We did see some quirks that might suggest commonality (e.g. NAT tranlation failures) but didn't look for anything to prove a link. kind regards, Ray -- Ray Bellis, MA(Oxon) Senior Researcher in Advanced Projects, Nominet e: ray at nominet.org.uk, t: +44 1865 332211 From steve at shinkuro.com Tue Sep 16 20:57:20 2008 From: steve at shinkuro.com (Steve Crocker) Date: Tue, 16 Sep 2008 14:57:20 -0400 Subject: [dnssec-deployment] [dns-wg] Announcement: Test Report on DNSSEC impact on SOHO CPE In-Reply-To: References: Message-ID: Thanks. Steve On Sep 16, 2008, at 2:55 PM, Ray.Bellis at nominet.org.uk wrote: >> The report is excellent. Thank you very much for sharing it with us. > > You're welcome :) > >> I have two questions. >> >> 1) Vendor actions >> >> What are the vendor status and/or responses? Were they contacted? > did they >> respond? Are they planning updates? > > We did contact vendor technical support, in particular to determine > whether any work-arounds exist on those routers that don't appear > to allow > the DNS settings in the DHCP server to be changed. > > However attempts to reach product management types to talk about > implementation issues were generally fruitless. I did manage to > report my > findings to Zyxel UK through an existing contact, though. > > I'm hoping that some of the vendors will get in touch with me, now > that > the report is published. > >> 2) base OS? >> >> Is there a similarity in these firmwares? eg are they using >> the same >> DNS software inside? Perhaps the vendors are not the people we > should >> be talking to? For instance, many Linux based routers use the > "dnsmasq" >> software. Depending on its status, it might be worth >> contacting the >> upstream software provider of the commercial router vendors. > > We didn't see any direct evidence of shared code between vendors. > We did > see some quirks that might suggest commonality (e.g. NAT tranlation > failures) but didn't look for anything to prove a link. > > kind regards, > > Ray > > -- > Ray Bellis, MA(Oxon) > Senior Researcher in Advanced Projects, Nominet > e: ray at nominet.org.uk, t: +44 1865 332211 > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > A public archive is available here: Lists/dnssec-deployment/> > and older material is at >