From mat at mat.cc Fri Nov 13 22:41:21 2009 From: mat at mat.cc (Mathieu Arnold) Date: Fri, 13 Nov 2009 22:41:21 +0100 Subject: [dns-wg] DNSSEC - DS RR provisioning In-Reply-To: References: Message-ID: <168F0ED836FEEC6C6A639F79@atuin.in.mat.cc> +--On 5 octobre 2009 15:52:06 +0100 Edward Lewis wrote: | In case you don't want to go through the slides, I'd like to ask these | questions: | | 1. If you are planning to receive DS records for any reason, how do you | plan to do it? (You don't have to be a TLD to need to do this.) As a registry, through EPP or other home brewed registry/registrar interface. As a standard parent, through a home brewed web interface. | 2. If you are operating DNS for people and are considering DNSSEC, have | you thought about how the DS record will be passed to your customers' | zones parents? about the same as above. | 3. If you operate a recursive server, where to do plan to get DNSSEC | public keys (for example, ISC's DLV)? Well, obviously, there are two cases here : 1) the root is signed, that's the only key I'll ever need (sight), and I'll get it through the proper channels that will be put up at that time. 2) the root is not, DLV is a very nice thing. -- Mathieu Arnold From paul at xelerance.com Fri Nov 13 23:57:36 2009 From: paul at xelerance.com (Paul Wouters) Date: Fri, 13 Nov 2009 17:57:36 -0500 (EST) Subject: [dns-wg] DNSSEC - DS RR provisioning In-Reply-To: <168F0ED836FEEC6C6A639F79@atuin.in.mat.cc> References: <168F0ED836FEEC6C6A639F79@atuin.in.mat.cc> Message-ID: On Fri, 13 Nov 2009, Mathieu Arnold wrote: > | 3. If you operate a recursive server, where to do plan to get DNSSEC > | public keys (for example, ISC's DLV)? > > Well, obviously, there are two cases here : > 1) the root is signed, that's the only key I'll ever need (sight), and I'll > get it through the proper channels that will be put up at that time. Only if you're willing to wait 2 years on .com to get signed. DLV is still useful after the root is signed and before .com is signed. The same applies for other unsigned TLD's, but most people will ignore those. Paul From bortzmeyer at nic.fr Sat Nov 14 02:52:00 2009 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Sat, 14 Nov 2009 10:52:00 +0900 Subject: [dns-wg] Re: DNSSEC - DS RR provisioning In-Reply-To: References: <168F0ED836FEEC6C6A639F79@atuin.in.mat.cc> Message-ID: <20091114015159.GA11748@laperouse.bortzmeyer.org> On Fri, Nov 13, 2009 at 05:57:36PM -0500, Paul Wouters wrote a message of 15 lines which said: > Only if you're willing to wait 2 years on .com to get signed. If you have a ".com", you will need to wait for ".com" to be signed + for ".com" to accept DS records (for most TLD which were signed, there was a non-trivial delay here) + for your registrar to accept and relay DS records (the experience with AAAA glue records makes me pessimistic here). So, yes, saying we won't need DLV after the root is signed is short-sighted. From Mats.Dufberg at teliasonera.com Mon Nov 16 11:34:48 2009 From: Mats.Dufberg at teliasonera.com (Mats.Dufberg at teliasonera.com) Date: Mon, 16 Nov 2009 11:34:48 +0100 Subject: [dns-wg] DNSSEC - DS RR provisioning In-Reply-To: References: Message-ID: > From: dns-wg-admin at ripe.net [mailto:dns-wg-admin at ripe.net] On > Behalf Of Edward Lewis > Sent: den 5 oktober 2009 16:52 > 1. If you are planning to receive DS records for any reason, how do > you plan to do it? (You don't have to be a TLD to need to do this.) N/A > 2. If you are operating DNS for people and are considering DNSSEC, > have you thought about how the DS record will be passed to your > customers' zones parents? Yes, but no solution execept for the domains we are registrar for. > 3. If you operate a recursive server, where to do plan to get DNSSEC > public keys (for example, ISC's DLV)? Currently, .SE key only. When DNSsec is in production for the root and .SE has DS records in the root zone, the root key only. Mats ------------------------------------------ Mats Dufberg TeliaSonera BBS P&P AP SP Internet +46-70-2582588 mats.dufberg at teliasonera.com ------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5919 bytes Desc: not available URL: From mat at mat.cc Tue Nov 17 00:45:08 2009 From: mat at mat.cc (Mathieu Arnold) Date: Tue, 17 Nov 2009 00:45:08 +0100 Subject: [dns-wg] Re: DNSSEC - DS RR provisioning In-Reply-To: <20091114015159.GA11748@laperouse.bortzmeyer.org> References: <168F0ED836FEEC6C6A639F79@atuin.in.mat.cc> <20091114015159.GA11748@laperouse.bortzmeyer.org> Message-ID: <03A726849707AD3C8E69D064@atuin.in.mat.cc> +--On 14 novembre 2009 10:52:00 +0900 Stephane Bortzmeyer wrote: | On Fri, Nov 13, 2009 at 05:57:36PM -0500, | Paul Wouters wrote | a message of 15 lines which said: | |> Only if you're willing to wait 2 years on .com to get signed. | | If you have a ".com", you will need to wait for ".com" to be signed + | for ".com" to accept DS records (for most TLD which were signed, there | was a non-trivial delay here) + for your registrar to accept and relay | DS records (the experience with AAAA glue records makes me pessimistic | here). | | So, yes, saying we won't need DLV after the root is signed is | short-sighted. Ok, I should have been more specific, I meant when the root is signed and I can verify the signatures all the way down. Of course DLV will be very useful in the years to come. -- Mathieu Arnold who's just had to remove DNSSEC from a few zones because of qmail. From denis at ripe.net Mon Nov 23 14:17:24 2009 From: denis at ripe.net (Denis Walker) Date: Mon, 23 Nov 2009 14:17:24 +0100 Subject: [dns-wg] Removal of Forward DOMAIN data from the RIPE Database Message-ID: <4B0A8B64.4060109@ripe.net> [Apologies for duplicates] Dear Colleagues, The RIPE NCC has published an implementation plan for the removal of forward DOMAIN objects from the RIPE Database. It can be found at: http://www.ripe.net/db/support/forward-domain-objects-removal.html Please focus the discussion, if possible, on one working group mailing list. Because it is a data clean-up process, we suggest the Database Working Group. Regards Denis Walker Business Analyst Database Group RIPE NCC From denis at ripe.net Mon Nov 30 13:13:42 2009 From: denis at ripe.net (Denis Walker) Date: Mon, 30 Nov 2009 13:13:42 +0100 Subject: [dns-wg] DOMAIN object proposals Message-ID: <4B13B6F6.1030300@ripe.net> Dear Colleagues, The RIPE NCC made two proposals recently concerning DOMAIN objects: 22 October New rules for reverse domain object creation in the RIPE Database http://www.ripe.net/ripe/maillists/archives/dns-wg/2009/msg00104.html 23 November Removal of Forward DOMAIN data from the RIPE Database http://www.ripe.net/ripe/maillists/archives/dns-wg/2009/msg00119.html There have been no comments for or against either of these proposals on the mailing lists. They were both discussed at RIPE Meetings, without any negative comments. We would like to ask for any final comments by this Friday, 4 December 2009, so the working group chairs can then draw a consensus. Regards, Denis Walker Business Analyst, Database Group RIPE NCC