From pk at DENIC.DE Mon Apr 4 01:36:42 2011 From: pk at DENIC.DE (Peter Koch) Date: Mon, 4 Apr 2011 01:36:42 +0200 Subject: [dns-wg] Call for RIPE 62 DNS-WG agenda items Message-ID: <20110403233642.GU26225@x27.adm.denic.de> Dear DNS WG, the RIPE62 meeting in Amsterdam is four weeks away and we need to eventually populate the agenda. Please note we have, as usual, two slots available. This time they are on Wed and Thu morning, in parallel with EIX and one of the address policy sessions. We plan to have the usual round of updates from the IETF and other international fora (volunteers still welcome) as well as from the RIPE NCC. There are some presentation proposals already, but your chairs would like to encourage even more contributions from the broader community. You will likely sense an overall theme of IPv6 across the various WG and plenary slots and while this might be an inspiration to some, it doesn't have to constrain any ideas you have. Do not believe that what you present would have to be next year's research project. Short demonstrations of operational practice are fine! Just let me know of any suggestions. -Peter From denis at ripe.net Tue Apr 5 13:45:32 2011 From: denis at ripe.net (Denis Walker) Date: Tue, 05 Apr 2011 13:45:32 +0200 Subject: [dns-wg] Deletion of Forward DOMAIN object data from the RIPE Database Message-ID: <4D9B00DC.5030104@ripe.net> [Apologies for duplicate emails] Dear Colleagues, The RIPE NCC announced to the mailing lists on 29 March that Forward DOMAIN object data will be deleted this week: http://www.ripe.net/ripe/maillists/archives/db-wg/2011/msg00074.html All Forward DOMAIN object data has now been deleted from the RIPE Database, except for the four top-level domain (TLD) operators who are still actively using the RIPE Database. It is not possible for any user to re-create a top-level Forward DOMAIN object in the RIPE Database. Without the TLD object, no second-level DOMAIN object creations can be authorised. When the last four TLD operators have moved their data to their own systems, we will modify the update software so it will not recognise any Forward DOMAIN objects. Regards, Denis Walker RIPE NCC Database Group From bortzmeyer at nic.fr Thu Apr 7 14:38:34 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Thu, 7 Apr 2011 14:38:34 +0200 Subject: [dns-wg] Re: Deletion of Forward DOMAIN object data from the RIPE Database In-Reply-To: <4D9B00DC.5030104@ripe.net> References: <4D9B00DC.5030104@ripe.net> Message-ID: <20110407123834.GA1122@nic.fr> On Tue, Apr 05, 2011 at 01:45:32PM +0200, Denis Walker wrote a message of 21 lines which said: > The RIPE NCC announced to the mailing lists on 29 March that Forward > DOMAIN object data will be deleted this week: > http://www.ripe.net/ripe/maillists/archives/db-wg/2011/msg00074.html May I ask why "fr" is not in the list? It should have been deleted as well. % whois -h whois.ripe.net -R fr domain: fr descr: Top-level-domain for France descr: AFNIC (NIC France) descr: Domaine de Voluceau B.P. 105 descr: F-78153 Le Chesnay CEDEX, France refer: RIPE whois.nic.fr 43 admin-c: NFC1-RIPE tech-c: NFC1-RIPE zone-c: NFC1-RIPE nserver: ns1.nic.fr nserver: ns2.nic.fr nserver: ns3.nic.fr ... [Completely outdated and unmaintained] -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: Digital signature URL: From bortzmeyer at nic.fr Thu Apr 7 15:46:43 2011 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Thu, 7 Apr 2011 15:46:43 +0200 Subject: [dns-wg] Re: Deletion of Forward DOMAIN object data from the RIPE Database In-Reply-To: <20110407123834.GA1122@nic.fr> References: <4D9B00DC.5030104@ripe.net> <20110407123834.GA1122@nic.fr> Message-ID: <20110407134643.GA31393@nic.fr> On Thu, Apr 07, 2011 at 02:38:34PM +0200, Stephane Bortzmeyer wrote a message of 48 lines which said: > May I ask why "fr" is not in the list? It should have been deleted as > well. We just received the notification of deletion. So, apparently, Denis Walker's message was just sent too early. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: Digital signature URL: From denis at ripe.net Thu Apr 7 15:55:21 2011 From: denis at ripe.net (Denis Walker) Date: Thu, 07 Apr 2011 15:55:21 +0200 Subject: [dns-wg] Re: Deletion of Forward DOMAIN object data from the RIPE Database In-Reply-To: <20110407134643.GA31393@nic.fr> References: <4D9B00DC.5030104@ripe.net> <20110407123834.GA1122@nic.fr> <20110407134643.GA31393@nic.fr> Message-ID: <4D9DC249.8090603@ripe.net> Stephane Bortzmeyer wrote: > On Thu, Apr 07, 2011 at 02:38:34PM +0200, > Stephane Bortzmeyer wrote > a message of 48 lines which said: > > >> May I ask why "fr" is not in the list? It should have been deleted as >> well. >> > > We just received the notification of deletion. So, apparently, Denis > Walker's message was just sent too early. > To be honest it was an oversight on our part. We deleted all the Forward DOMAIN objects ending in .TLD. But the TLD object itself has no '.' so they were not deleted. We have now deleted them all (except for the 4 active TLD operators). Thanks for pointing this out. Incidentally, we have also just deleted a small number of invalid reverse DOMAIN objects as well. For example objects ending in 'in-addr-arpa' with a '-' instead of a '.'. Regards Denis Walker Business Analyst RIPE NCC Database Group From Piotr.Strzyzewski at polsl.pl Thu Apr 7 15:19:26 2011 From: Piotr.Strzyzewski at polsl.pl (Piotr Strzyzewski) Date: Thu, 7 Apr 2011 15:19:26 +0200 Subject: [dns-wg] Re: [db-wg] Re: Deletion of Forward DOMAIN object data from the RIPE Database In-Reply-To: <20110407123834.GA1122@nic.fr> References: <4D9B00DC.5030104@ripe.net> <20110407123834.GA1122@nic.fr> Message-ID: <20110407131926.GE658@hydra.ck.polsl.pl> On Thu, Apr 07, 2011 at 02:38:34PM +0200, Stephane Bortzmeyer wrote: > On Tue, Apr 05, 2011 at 01:45:32PM +0200, > Denis Walker wrote > a message of 21 lines which said: > > > The RIPE NCC announced to the mailing lists on 29 March that Forward > > DOMAIN object data will be deleted this week: > > http://www.ripe.net/ripe/maillists/archives/db-wg/2011/msg00074.html > > May I ask why "fr" is not in the list? It should have been deleted as > well. > > % whois -h whois.ripe.net -R fr > domain: fr > descr: Top-level-domain for France > descr: AFNIC (NIC France) > descr: Domaine de Voluceau B.P. 105 > descr: F-78153 Le Chesnay CEDEX, France > refer: RIPE whois.nic.fr 43 > admin-c: NFC1-RIPE > tech-c: NFC1-RIPE > zone-c: NFC1-RIPE > nserver: ns1.nic.fr > nserver: ns2.nic.fr > nserver: ns3.nic.fr > ... > > [Completely outdated and unmaintained] It seems that other cc-tld's are also still here. ".pl", ".de", ".cz", ".sk" just for example. Also some strange domain objects like "dnsquery" (taken from ftp DB dump): $ whois -rB -T domain dnsquery domain: dnsquery descr: Reverse delegation admin-c: RB1230-RIPE tech-c: LL271-RIPE zone-c: LL271-RIPE mnt-by: MNT-MNT changed: hostmaster at mynet.it 20050622 source: RIPE Piotr -- gucio -> Piotr Strzy?ewski E-mail: Piotr.Strzyzewski at polsl.pl From wnagele at ripe.net Wed Apr 13 11:47:53 2011 From: wnagele at ripe.net (Wolfgang Nagele) Date: Wed, 13 Apr 2011 11:47:53 +0200 Subject: [dns-wg] Re: [Dnssec-deployment] IN-ADDR.ARPA Nameserver Change Complete In-Reply-To: <4D8B97C9.7030700@ripe.net> References: <4D8B97C9.7030700@ripe.net> Message-ID: <4DA57149.6070407@ripe.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, >> RIPE have signed high-level IPv4 reverse zones, and trust anchors for >> them have been imported into dlv.isc.org >> have signed high-level IPv6 reverse zones, and actually have DS >> records for them in IP6.ARPA > We are going to submit our DS records for zones below in-addr.arpa during our > next KSK rollover. This rollover is currently scheduled for mid April 2011. See: > https://www.ripe.net/data-tools/dns/dnssec/dnssec-keys I am happy to announce that this has been completed today. RIPE NCC IPv4 reverse space is now fully linked to the chain of trust from the root zone down. Regards, Wolfgang Nagele DNS Group Manager, RIPE NCC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2lcUkACgkQjO7G63Byy8fFcQCfbJb92cKGxeG+H7AWCGdoiCxF t18An0tdcGvyRi1SCemsf3Oa1+eyW9bw =WcDF -----END PGP SIGNATURE----- From denis at ripe.net Mon Apr 18 11:28:12 2011 From: denis at ripe.net (Denis Walker) Date: Mon, 18 Apr 2011 11:28:12 +0200 Subject: [dns-wg] Proposal to Change the Dash ('-') Notation in Reverse DOMAIN Objects Message-ID: <4DAC042C.1020006@ripe.net> [Apologies for duplicate emails] Dear Colleagues, What follows is a short proposal to change the process of creating and updating reverse DOMAIN objects in the RIPE Database. Because this is a proposed RIPE Database change, please direct any discussion to the RIPE Database Working Group mailing list to keep it focused in one place. Regards, Denis Walker Business Analyst RIPE NCC Database Group Proposal to change the dash ('-') notation in reverse DOMAIN objects Introduction ------------ Reverse delegation DOMAIN objects allow the use of a dash ('-') in the syntax. The current arrangement causes problems with DNSSEC. We propose to drop the current behaviour. We would also introduce a new syntax using the dash notation to avoid the need for manual intervention for classless delegations. Both the current and the new behaviour described in this document only apply to IPv4 delegations. Feature to be deprecated ------------------------ Currently, we allow a dash in the third octet of an IPv4 reverse delegation. So, for the address range 10.2.1.0 - 10.2.100.255, the syntax allows a reverse delegation DOMAIN object to be submitted as 1-100.2.10.in-addra.arpa. The RIPE Database update software will expand this into 100 separate objects in the database with prefixes from 1.2.10.in-addra.arpa to 100.2.10.in-addra.arpa. Apart from the prefix, all the other data in the submitted object will be duplicated in all 100 objects. To modify or delete this set of objects, the user has to process all 100 objects individually. No bulk operations are possible after the original object has been expanded in the database. This feature is not compatible with using DNSSEC. The value of the "ds-rdata:" attribute is a hash that includes the delegation. By definition, this must be different for each DOMAIN object. These different hash values for multiple objects cannot be entered by submitting a single object with the dash notation. This issue was raised by members of the DNS community, and the RIPE NCC now proposes to deprecate this update feature. Feature to be added ------------------- Classless delegations, according to RFC2317 (http://www.ietf.org/rfc/rfc2317.txt), are currently handled manually by the DNS Department at the RIPE NCC. Although the objects can be created in the RIPE Database, they will not be propagated to the zone files. The RIPE NCC proposes to allow a dash in the fourth octet of an IPv4 reverse delegation. So, for the address range 10.2.1.6 - 10.2.1.25, the syntax would allow a reverse delegation DOMAIN object to be submitted as 6-25.1.2.10.in-addra.arpa. This object would not be expanded by the RIPE Database update software into 20 separate objects, as it is with the feature described above. It would be created in the database as a single object, including the dash in the range. New DNS provisioning software would handle the new dash notation and propagate this delegation to the zone file. However, the range 0-255 is a special case and would not be allowed in the fourth octet. Modification and deletion can be performed on the single object in the database. Any change would be propagated into the zone file by the new delegation software. From randy at psg.com Mon Apr 18 11:34:16 2011 From: randy at psg.com (Randy Bush) Date: Mon, 18 Apr 2011 18:34:16 +0900 Subject: [dns-wg] Re: [db-wg] Proposal to Change the Dash ('-') Notation in Reverse DOMAIN Objects In-Reply-To: <4DAC042C.1020006@ripe.net> References: <4DAC042C.1020006@ripe.net> Message-ID: does this not arise from some confusion. that the delegation request object allows a macro that has a dash does not mean any dns objects have a dash. so there is no actual dns problem. or am i confused as usual? randy From terry.manderson at icann.org Mon Apr 18 14:28:40 2011 From: terry.manderson at icann.org (Terry Manderson) Date: Mon, 18 Apr 2011 05:28:40 -0700 Subject: [dns-wg] Re: [db-wg] Proposal to Change the Dash ('-') Notation in Reverse DOMAIN Objects In-Reply-To: References: <4DAC042C.1020006@ripe.net> Message-ID: <25F5DA5E-713F-4B57-9151-7E9E80F6EAFA@icann.org> It's not a DNS problem exactly. But since the macro in question can allow a RIPE db user to incorrectly duplicate DS record data for multiple zones, an unsuspecting entrant to the world of DNSSEC will have a rather awkward time. You could argue buyer beware, but off the cuff I see no general issue with trying to remove potential errors before frustration sets in. Cheers, Terry On 18/04/2011, at 7:34 PM, "Randy Bush" wrote: > does this not arise from some confusion. > > that the delegation request object allows a macro that has a dash does > not mean any dns objects have a dash. so there is no actual dns > problem. > > or am i confused as usual? > > randy > From randy at psg.com Mon Apr 18 15:04:41 2011 From: randy at psg.com (Randy Bush) Date: Mon, 18 Apr 2011 22:04:41 +0900 Subject: [dns-wg] Re: [db-wg] Proposal to Change the Dash ('-') Notation in Reverse DOMAIN Objects In-Reply-To: <25F5DA5E-713F-4B57-9151-7E9E80F6EAFA@icann.org> References: <4DAC042C.1020006@ripe.net> <25F5DA5E-713F-4B57-9151-7E9E80F6EAFA@icann.org> Message-ID: > It's not a DNS problem exactly. But since the macro in question can > allow a RIPE db user to incorrectly duplicate DS record data for > multiple zones, an unsuspecting entrant to the world of DNSSEC will > have a rather awkward time. You could argue buyer beware, but off the > cuff I see no general issue with trying to remove potential errors > before frustration sets in. > >> does this not arise from some confusion. >> >> that the delegation request object allows a macro that has a dash does >> not mean any dns objects have a dash. so there is no actual dns >> problem. and we should also prevent folk such as mycroft-jones from asking for dns delegation. brilliant. randy --- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon? From randy at psg.com Mon Apr 18 15:15:27 2011 From: randy at psg.com (Randy Bush) Date: Mon, 18 Apr 2011 22:15:27 +0900 Subject: [dns-wg] Re: [db-wg] Proposal to Change the Dash ('-') Notation in Reverse DOMAIN Objects In-Reply-To: <20110418131223.GT30227@Space.Net> References: <4DAC042C.1020006@ripe.net> <25F5DA5E-713F-4B57-9151-7E9E80F6EAFA@icann.org> <20110418131223.GT30227@Space.Net> Message-ID: > I'm not exactly sure why we want to support > > mycroft-jones.1.0.0.2.ip6.arpa > > in the RIPE DNS tools... or maybe I am misunderstanding something now, > but this whole apparatus is to automate delegation of *reverse* zones, > and those usually don't consist of people's surnames. and the zones do not consist of 120-127.42.66.in-addr.arpa either. the hyphen syntax is a macro in a language that is not in the dns. therefor that it is not acceptable dns syntax is not relevant. randy From pk at DENIC.DE Mon Apr 18 15:17:26 2011 From: pk at DENIC.DE (Peter Koch) Date: Mon, 18 Apr 2011 15:17:26 +0200 Subject: [dns-wg] Re: Proposal to Change the Dash ('-') Notation in Reverse DOMAIN Objects In-Reply-To: <4DAC042C.1020006@ripe.net> References: <4DAC042C.1020006@ripe.net> Message-ID: <20110418131726.GE22688@x28.adm.denic.de> Denis, all, {ncc services stripped as requested, but dns and db wg kept for now} > What follows is a short proposal to change the process of creating and it appears that these are actually three proposals that are linked together but might deserve discussion of their own merits. > Feature to be deprecated > ------------------------ > Currently, we allow a dash in the third octet of an IPv4 reverse > delegation. So, for the address range 10.2.1.0 - 10.2.100.255, the > syntax allows a reverse delegation DOMAIN object to be submitted as > 1-100.2.10.in-addra.arpa. The RIPE Database update software will expand > this into 100 separate objects in the database with prefixes from > 1.2.10.in-addra.arpa to 100.2.10.in-addra.arpa. Apart from the prefix, > all the other data in the submitted object will be duplicated in all 100 > objects. To modify or delete this set of objects, the user has to > process all 100 objects individually. No bulk operations are possible > after the original object has been expanded in the database. So, there is a macro feature in there that isn't explicit but overlays the object name and key. Also it seems this macro is only useful at object creation time. Can you share any numbers in terms of objects an LIRs that have been using this feature? > This feature is not compatible with using DNSSEC. The value of the > "ds-rdata:" attribute is a hash that includes the delegation. By Well, this is only a consequence of chosing the DS data as the registration object. If that were the only obstacle and provided LIRs are using the same DNSKEY for multiple zones, this could of course be changed to allow for registration of the DNSKEY (identical across whatever macro expansion) to make the data part consistent for all those objects covered. > Feature to be added > ------------------- > in the RIPE Database, they will not be propagated to the zone files. The > RIPE NCC proposes to allow a dash in the fourth octet of an IPv4 reverse > delegation. So, for the address range 10.2.1.6 - 10.2.1.25, the syntax > would allow a reverse delegation DOMAIN object to be submitted as > 6-25.1.2.10.in-addra.arpa. This object would not be expanded by the RIPE > Database update software into 20 separate objects, as it is with the > feature described above. It would be created in the database as a single > object, including the dash in the range. Sounds reasonable to me for those direct assignments smaller than /24. > New DNS provisioning software would handle the new dash notation and > propagate this delegation to the zone file. However, the range 0-255 is > a special case and would not be allowed in the fourth octet. This would suggest the fourth label is evaluated and checked also against the governing inetnum object or authorization? -Peter {no hats} From gert at space.net Mon Apr 18 15:21:51 2011 From: gert at space.net (Gert Doering) Date: Mon, 18 Apr 2011 15:21:51 +0200 Subject: [dns-wg] Re: [db-wg] Proposal to Change the Dash ('-') Notation in Reverse DOMAIN Objects In-Reply-To: References: <4DAC042C.1020006@ripe.net> <25F5DA5E-713F-4B57-9151-7E9E80F6EAFA@icann.org> <20110418131223.GT30227@Space.Net> Message-ID: <20110418132151.GU30227@Space.Net> Hi, On Mon, Apr 18, 2011 at 10:15:27PM +0900, Randy Bush wrote: > > I'm not exactly sure why we want to support > > > > mycroft-jones.1.0.0.2.ip6.arpa > > > > in the RIPE DNS tools... or maybe I am misunderstanding something now, > > but this whole apparatus is to automate delegation of *reverse* zones, > > and those usually don't consist of people's surnames. > > and the zones do not consist of 120-127.42.66.in-addr.arpa either. > > the hyphen syntax is a macro in a language that is not in the dns. therefor > that it is not acceptable dns syntax is not relevant. So what exactly would be the benefit of delegating all names from "mycroft" to "jones" with this mechanism? Gert Doering -- NetMaster -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From gert at space.net Mon Apr 18 15:12:23 2011 From: gert at space.net (Gert Doering) Date: Mon, 18 Apr 2011 15:12:23 +0200 Subject: [dns-wg] Re: [db-wg] Proposal to Change the Dash ('-') Notation in Reverse DOMAIN Objects In-Reply-To: References: <4DAC042C.1020006@ripe.net> <25F5DA5E-713F-4B57-9151-7E9E80F6EAFA@icann.org> Message-ID: <20110418131223.GT30227@Space.Net> Hi, On Mon, Apr 18, 2011 at 10:04:41PM +0900, Randy Bush wrote: > and we should also prevent folk such as mycroft-jones from asking for > dns delegation. brilliant. I'm not exactly sure why we want to support mycroft-jones.1.0.0.2.ip6.arpa in the RIPE DNS tools... or maybe I am misunderstanding something now, but this whole apparatus is to automate delegation of *reverse* zones, and those usually don't consist of people's surnames. Gert Doering -- NetMaster -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From randy at psg.com Mon Apr 18 15:34:25 2011 From: randy at psg.com (Randy Bush) Date: Mon, 18 Apr 2011 22:34:25 +0900 Subject: [dns-wg] Re: [db-wg] Proposal to Change the Dash ('-') Notation in Reverse DOMAIN Objects In-Reply-To: <20110418132151.GU30227@Space.Net> References: <4DAC042C.1020006@ripe.net> <25F5DA5E-713F-4B57-9151-7E9E80F6EAFA@icann.org> <20110418131223.GT30227@Space.Net> <20110418132151.GU30227@Space.Net> Message-ID: >>> I'm not exactly sure why we want to support >>> >>> mycroft-jones.1.0.0.2.ip6.arpa >>> >>> in the RIPE DNS tools... or maybe I am misunderstanding something now, >>> but this whole apparatus is to automate delegation of *reverse* zones, >>> and those usually don't consist of people's surnames. >> >> and the zones do not consist of 120-127.42.66.in-addr.arpa either. >> >> the hyphen syntax is a macro in a language that is not in the dns. therefor >> that it is not acceptable dns syntax is not relevant. > > So what exactly would be the benefit of delegating all names from > "mycroft" to "jones" with this mechanism? see http://en.wikipedia.org/wiki/Analogy randy From pfaltstr at cisco.com Mon Apr 18 15:57:11 2011 From: pfaltstr at cisco.com (Patrik Faltstrom (pfaltstr)) Date: Mon, 18 Apr 2011 15:57:11 +0200 Subject: [dns-wg] Re: [db-wg] Proposal to Change the Dash ('-') Notation in Reverse DOMAIN Objects In-Reply-To: <20110418131223.GT30227@Space.Net> References: <4DAC042C.1020006@ripe.net> <25F5DA5E-713F-4B57-9151-7E9E80F6EAFA@icann.org> <20110418131223.GT30227@Space.Net> Message-ID: <569D3AB4-6960-4F1E-92BB-3C690BC66ECF@cisco.com> On 18 apr 2011, at 15:34, "Gert Doering" wrote: > those usually don't consist of people's surnames. Well, have you followed the work in zeroconf? Patrik From gert at space.net Mon Apr 18 16:40:35 2011 From: gert at space.net (Gert Doering) Date: Mon, 18 Apr 2011 16:40:35 +0200 Subject: [dns-wg] Re: [db-wg] Proposal to Change the Dash ('-') Notation in Reverse DOMAIN Objects In-Reply-To: <569D3AB4-6960-4F1E-92BB-3C690BC66ECF@cisco.com> References: <4DAC042C.1020006@ripe.net> <25F5DA5E-713F-4B57-9151-7E9E80F6EAFA@icann.org> <20110418131223.GT30227@Space.Net> <569D3AB4-6960-4F1E-92BB-3C690BC66ECF@cisco.com> Message-ID: <20110418144035.GX30227@Space.Net> Hi, On Mon, Apr 18, 2011 at 03:57:11PM +0200, Patrik Faltstrom (pfaltstr) wrote: > On 18 apr 2011, at 15:34, "Gert Doering" wrote: > > > those usually don't consist of people's surnames. > Well, have you followed the work in zeroconf? I haven't, admittedly. Could you point me to the relevant documents? (There's *lots* of work in zeroconf) Gert Doering -- NetMaster -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From pfaltstr at cisco.com Mon Apr 18 18:55:45 2011 From: pfaltstr at cisco.com (=?iso-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Mon, 18 Apr 2011 18:55:45 +0200 Subject: [dns-wg] Re: [db-wg] Proposal to Change the Dash ('-') Notation in Reverse DOMAIN Objects In-Reply-To: <20110418144035.GX30227@Space.Net> References: <4DAC042C.1020006@ripe.net> <25F5DA5E-713F-4B57-9151-7E9E80F6EAFA@icann.org> <20110418131223.GT30227@Space.Net> <569D3AB4-6960-4F1E-92BB-3C690BC66ECF@cisco.com> <20110418144035.GX30227@Space.Net> Message-ID: On 18 apr 2011, at 16.40, Gert Doering wrote: > On Mon, Apr 18, 2011 at 03:57:11PM +0200, Patrik Faltstrom (pfaltstr) wrote: >> On 18 apr 2011, at 15:34, "Gert Doering" wrote: >> >>> those usually don't consist of people's surnames. >> Well, have you followed the work in zeroconf? > > I haven't, admittedly. Could you point me to the relevant documents? > > (There's *lots* of work in zeroconf) I missed a few thousand smileys...of course NOONE can follow everything in zeroconf... In short, we have things live like this: lb._dns-sd._udp.0.0.168.192.in-addr.arpa. IN PTR example.com. The result is similar to do the same queries in .local TLD (but then most of the time using mDNS). See section 11 of http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt for example. Patrik From pk at DENIC.DE Tue Apr 19 19:28:09 2011 From: pk at DENIC.DE (Peter Koch) Date: Tue, 19 Apr 2011 19:28:09 +0200 Subject: [dns-wg] DNS WG action item list update Message-ID: <20110419172809.GA45321@unknown.office.denic.de> Dear DNS WG, during the preparation of the upcoming meeting it was noted that the maintenance of our action item list at has fallen behind a bit. This message attempts to clean up the list and resolve any ambiguity. Please do not hesitate to contact the WG co-chairs if you have any questions or concerns. ----------------------------------------------------------------------------- During RIPE 58, we addressed 57.1 "DLV for NCC maintained TAs" during the RIPE NCC report: Anand talked first about AP 57.1: The RIPE NCC supports signing of the root and had planned to upload its trust anchors into the ISC DLV. He noted that somehow, this has happened without RIPE NCC knowledge. Contact has been made with ISC to investigate how this came about. Further on: ACTION POINT: Anand to document the overhaul of provisioning methods to submit the Trust Anchors of zones signed by the RIPE NCC into ISC DLV. The draft solution to be distributed to the DB WG. This became 58.1 with only being slightly different from 57.1. ----------------------------------------------------------------------------- The summary from RIPE 58 reads: ACTION 58.1: NCC's KSKs in DLV RIPE NCC to followup on the inclusion of RIPE NCC's TAs into ISC DLV ACTION 58.2: IN-ADDR.ARPA objects in the database Child objects for reverse zones in the RIPE DB were causing confusion when a parent object was also present. Since the parent zone was already provisioned the child zone would have no effect. ACTION 58.3: RIPE NCC to evaluate feedback on Lameness Delegation checking and incorporate this into any future work. Report back at RIPE 59. ----------------------------------------------------------------------------- The minutes for RIPE 59 say: 58.2 IN-ADDR.ARPA objects in the database This has created an action item for the database WG. 58.3 Feedback on lame delegations Research into the lame delegation project will be presented by Shane Kerr (ISC) later in the agenda. Finally, the RIPE 59 minutes say: Peter proposed to keep action item 58.2 open so that the RIPE NCC can take care of this. He recommended closing NCC's KSKs and DLV action items (57.1 and 58.1). There were no objections. and later: Shane said he'd be happy to continue discussion on the mailing list. Peter proposed to close this action item (58.3). The WG agreed with this proposal. The issue of parent/child domain objects in the database for the reverse tree(s) was reported done by the DB group in a mail sent 09 Dec 2010: ----------------------------------------------------------------------------- Summary: We are going to list new action items 58.1, 58.2, and 58.3 as described above. All of these plus 57.1 can be marked "done" as per the minutes of RIPE 59 and subsequent email from the NCC's DB group. No Action Items from RIPE 59, Lisbon, October 2009 No Action Items from RIPE 60, Prague, May 2010 No Action Items from RIPE 61, Rome, November 2010 ----------------------------------------------------------------------------- Best regards, Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available URL: From Brett.Carr at nominet.org.uk Wed Apr 20 10:56:34 2011 From: Brett.Carr at nominet.org.uk (Brett Carr) Date: Wed, 20 Apr 2011 08:56:34 +0000 Subject: [dns-wg] DNS WG action item list update In-Reply-To: <20110419172809.GA45321@unknown.office.denic.de> References: <20110419172809.GA45321@unknown.office.denic.de> Message-ID: Peter, On 19 Apr 2011, at 18:28, Peter Koch wrote: > Dear DNS WG, > > during the preparation of the upcoming meeting it was noted that > the maintenance of our action item list at > > > > has fallen behind a bit. This message attempts to clean up the list > and resolve any ambiguity. Please do not hesitate to contact the > WG co-chairs if you have any questions or concerns. > > ----------------------------------------------------------------------------- > > During RIPE 58, we addressed 57.1 "DLV for NCC maintained TAs" during the > RIPE NCC report: > > Anand talked first about AP 57.1: The RIPE NCC supports signing of the > root and had planned to upload its trust anchors into the ISC DLV. > Shouldn't this say "had planned not to upload it's trust anchors"? -- Brett Carr Systems Administrator Nominet UK http://www.nominet.org.uk From jim at rfc1035.com Wed Apr 20 11:22:48 2011 From: jim at rfc1035.com (Jim Reid) Date: Wed, 20 Apr 2011 10:22:48 +0100 Subject: [dns-wg] DLV and the NCC's KSKs In-Reply-To: References: <20110419172809.GA45321@unknown.office.denic.de> Message-ID: On 20 Apr 2011, at 09:56, Brett Carr wrote: >> >> Anand talked first about AP 57.1: The RIPE NCC supports >> signing of the >> root and had planned to upload its trust anchors into the ISC >> DLV. > > Shouldn't this say "had planned not to upload it's trust anchors"? I don't think so Brett. Here's an extract from the RIPE57 minutes: There was a question about how to get the trust anchors for the RIPE NCC domains. Anand explained that they could be found on the secure website . Anand was asked to look into DLV, which would make keeping track of key rollovers easier. ACTION: NCC (Anand) to consider DLV for the Trust Anchors maintained by the NCC You might recall a lot of WG activity around RIPE57 was spent on a response to the NTIA proposals for signing the root. And it was unclear how or when .arpa and its subdomains would get signed if/when the root got signed. So at that time, the ISC DLV was pretty much the only option that was open to the NCC for its signed reverse tree. Sigh. IANA's ITAR only handled TLD keys. IIUC the NCC never lodged their KSKs with ISC's DLV thing. Though they somehow ended up there and this created some issues later. PS it should have been "upload its trust anchors". It's a pet peeve of mine when people type "it's" (it is) when they mean "its" (possessive of it). I know. I need to get out more. From anandb at ripe.net Wed Apr 20 11:49:14 2011 From: anandb at ripe.net (Anand Buddhdev) Date: Wed, 20 Apr 2011 11:49:14 +0200 Subject: [dns-wg] Re: DLV and the NCC's KSKs In-Reply-To: References: <20110419172809.GA45321@unknown.office.denic.de> Message-ID: <4DAEAC1A.2040805@ripe.net> On 20/04/2011 11:22, Jim Reid wrote: > IIUC the NCC never lodged their KSKs with ISC's DLV thing. Though they > somehow ended up there and this created some issues later. This was the main issue. ISC imported the NCC's trust anchors without asking. However, we spoke with ISC about this, and resolved it. ISC no longer imports our trust anchors automatically. Instead, we have an account in the ISC TAR, and we choose what goes in, and when. At the moment, we have just 10 islands of trust left in the ISC TAR, and we're just waiting for their parents to be signed. Regards, Anand Buddhdev RIPE NCC From wnagele at ripe.net Thu Apr 21 08:12:42 2011 From: wnagele at ripe.net (Wolfgang Nagele) Date: Thu, 21 Apr 2011 09:12:42 +0300 Subject: [dns-wg] DNSSEC outage in ripe.net and 0.a.2.ip6.arpa Message-ID: <4DAFCADA.1050404@ripe.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear colleagues, As some of you have noticed we had another DNSSEC outage last week. The zones affected were: ripe.net: 11:29 - 16:00 UTC on 14 April 0.a.2.ip6.arpa: 02:31 - 10:00 UTC on 15 April After analysis with our vendor, we determined that the cause of this outage was the same bug that caused the outage in e164.arpa on 15 February 2011. Our vendor concluded that the bug on 15 February was caused by an unusually high load on the signer system, but this time the system was in normal day-to-day operation, so that can't explain the failure. We've collected a sufficient amount of data from this incident to allow us to reproduce the circumstances and have found the bug in the system together with our vendor. We will receive an updated version of the software within the coming weeks. We have agreed to this timeline because this bug is only triggered in specific circumstances during a Key Signing Key rollover. We apologise for this outage. I would like to use the opportunity to point out that our long-term mitigation plan is to have a DNSSEC verification proxy in place. I am happy to say that our efforts for this have been well-received and a group of other interested parties has formed to work on it. If you would like to join the mailing list, please see: http://nlnetlabs.nl/mailman/listinfo/dnssexy Regards, Wolfgang Nagele DNS Group Manager RIPE NCC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2vytoACgkQjO7G63Byy8eKfACgs7HMEleAz0pEHIe03npMqUG6 xB4AoLBYtGOYyrk3X2VPOVjcsmpHIIIG =NFDn -----END PGP SIGNATURE----- From anandb at ripe.net Thu Apr 21 14:43:11 2011 From: anandb at ripe.net (Anand Buddhdev) Date: Thu, 21 Apr 2011 14:43:11 +0200 Subject: [dns-wg] PGP Key-Signing Party at RIPE 62 Message-ID: <4DB0265F.5030008@ripe.net> Dear colleagues, During RIPE 62, we will have a PGP Key-Signing Party, on Tuesday, 3 May at 17:30 in the Seasons Room at the Krasnapolsky Hotel. If you'd like to participate, please see the following page for details on how to sign up for it: http://ripe62.ripe.net/programme/social-events/pgp-key-signing-party Regards, Anand Buddhdev RIPE NCC From pk at DENIC.DE Fri Apr 29 17:10:21 2011 From: pk at DENIC.DE (Peter Koch) Date: Fri, 29 Apr 2011 17:10:21 +0200 Subject: [dns-wg] Draft DNS WG Agenda for Amsterdam RIPE 62 Message-ID: <20110429151021.GF7554@x27.adm.denic.de> Dear WG, here's the draft agenda for next week's two meeting slots. Some of the contributions may have to be moved between Wed and Thu due to presenters' travel constraints. -Peter ----------------------------------------------------------------------------- DRAFT Agenda for the DNSWG at RIPE 62, Amsterdam ----------------------------------------------------------------------------- Wednesday, 2011-05-04 11:00-12:30 (09:00-10:30 UTC) // EIX ----------------------------------------------------------------------------- A Administrivia [chairs] B Report from the RIPE NCC [Wolfgang Nagele] C IETF report TBD/TBC D OpenDNSSEC [Jakob Schlyter] E BIND10 Live Demo [Shane Kerr] F Update on .uk DNSSEC Deployment [Brett Carr] G DNS Anomaly Detection TBC ----------------------------------------------------------------------------- Thursday, 2011-05-05 11:00-12:30 (09:00-10:30 UTC) // Address Policy ----------------------------------------------------------------------------- N NSD4 Plans [Wouter Wijngaards] O DNSSEC client behaviour TBC P DNS reverse mapping for IPv6 TBC Q IP6.ARPA and IN-ADDR.ARPA Changes [Dave Knight] Z A.O.B. ----------------------------------------------------------------------------- From Woeber at CC.UniVie.ac.at Sat Apr 30 10:03:43 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Sat, 30 Apr 2011 08:03:43 +0000 Subject: [dns-wg] Draft DNS WG Agenda for Amsterdam RIPE 62 In-Reply-To: <20110429151021.GF7554@x27.adm.denic.de> References: <20110429151021.GF7554@x27.adm.denic.de> Message-ID: <4DBBC25F.4040704@CC.UniVie.ac.at> Peter Koch wrote: > Dear WG, > > here's the draft agenda for next week's two meeting slots. > Some of the contributions may have to be moved between Wed and Thu > due to presenters' travel constraints. > > -Peter > > ----------------------------------------------------------------------------- > DRAFT Agenda for the DNSWG at RIPE 62, Amsterdam > ----------------------------------------------------------------------------- [...] > G DNS Anomaly Detection > TBC Hi Peter, is that me with the F-Root Story? Tnx, Wilfried