From pk at DENIC.DE Sun May 1 22:43:09 2011 From: pk at DENIC.DE (Peter Koch) Date: Sun, 1 May 2011 22:43:09 +0200 Subject: [dns-wg] 2nd Draft DNS WG Agenda for RIPE 62 Message-ID: <20110501204309.GW7554@x27.adm.denic.de> DNS WG, here's an updated agenda for our Wed and Thu meetings. Slots are mostly booked now with two pending confirmations. Regards, Peter ----------------------------------------------------------------------------- Wednesday, 2011-05-04 11:00-12:30 (09:00-10:30 UTC) // EIX ----------------------------------------------------------------------------- A Administrivia [chairs] B Report from the RIPE NCC [Wolfgang Nagele] C IETF report TBD/TBC D OpenDNSSEC [Jakob Schlyter] E BIND10 Live Demo [Shane Kerr] F Update on .uk DNSSEC Deployment [Brett Carr] G DNS Anomaly Detection [Ondrej Sury] ----------------------------------------------------------------------------- Thursday, 2011-05-05 11:00-12:30 (09:00-10:30 UTC) // Address Policy ----------------------------------------------------------------------------- N NSD4 Plans [Wouter Wijngaards] O DNSSEC client behaviour TBC P Changes to JP DNS traffic by DNSSEC [Masato Minda] Q IP6.ARPA and IN-ADDR.ARPA Changes [Dave Knight] R The "Dancing F-Root" Story [Wilfried Woeber] S Towards a Name Server Control Protocol [John Dickinson] Z A.O.B. ----------------------------------------------------------------------------- From pk at DENIC.DE Thu May 5 00:36:13 2011 From: pk at DENIC.DE (Peter Koch) Date: Thu, 5 May 2011 00:36:13 +0200 Subject: [dns-wg] Updated Final Agenda for 2nd DNS WG session Message-ID: <20110504223613.GF5823@x27.adm.denic.de> Dear WG, here is the updated agenda for Thursday's second DNS WG session: ----------------------------------------------------------------------------- Thursday, 2011-05-05 11:00-12:30 (09:00-10:30 UTC) // Address Policy ----------------------------------------------------------------------------- O NSD4 Plans [Wouter Wijngaards] P IP6.ARPA and IN-ADDR.ARPA Changes [Dave Knight] Q Towards a Name Server Control Protocol [John Dickinson] R DNSSEC Client Behaviour [Sander Degen] S Changes to JP DNS traffic by DNSSEC [Masato Minda] T HSM survey [Jakob Schlyter] U The "Dancing F-Root" Story [Wilfried Woeber] Z A.O.B. ----------------------------------------------------------------------------- -Peter From wnagele at ripe.net Fri May 6 14:22:04 2011 From: wnagele at ripe.net (Wolfgang Nagele) Date: Fri, 06 May 2011 14:22:04 +0200 Subject: [dns-wg] DNSSEC Provisioning for ERX Space Held with APNIC Message-ID: <4DC3E7EC.6060300@ripe.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear colleagues, APNIC has just enabled support for DNSSEC-enabled delegations for their reverse space. This means that RIPE NCC members with ERX space assignments in the APNIC region can now also make use of DNSSEC. To do so, please submit a domain object which includes the ds-rdata field as you would for any other DNSSEC-enabled delegation. For more information on how to do this, see: http://www.ripe.net/data-tools/dns/dnssec/procedure-for-requesting-dnssec-delegations We will enable this service for ERX space held in other RIR regions as soon as DNSSEC becomes available with those RIRs. For more information on ERX space in the RIPE NCC service region, see: http://www.ripe.net/lir-services/resource-management/erx Regards, Wolfgang Nagele DNS Group Manager, RIPE NCC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3D5+wACgkQjO7G63Byy8eSEACdG1WodVCXlhENcALS3hG83OHs E04AoLIZ8nBrb/95tD2htmrCo45tj3c8 =PJRg -----END PGP SIGNATURE----- From shane at time-travellers.org Tue May 10 11:00:36 2011 From: shane at time-travellers.org (Shane Kerr) Date: Tue, 10 May 2011 11:00:36 +0200 Subject: [dns-wg] DNSSEC Provisioning for ERX Space Held with APNIC In-Reply-To: <4DC3E7EC.6060300@ripe.net> References: <4DC3E7EC.6060300@ripe.net> Message-ID: <1305018036.2331.7.camel@shane-desktop> Wolfgang, On Fri, 2011-05-06 at 14:22 +0200, Wolfgang Nagele wrote: > APNIC has just enabled support for DNSSEC-enabled delegations for their > reverse space. > > This means that RIPE NCC members with ERX space assignments in the > APNIC region can now also make use of DNSSEC. > > To do so, please submit a domain object which includes the ds-rdata > field as you would for any other DNSSEC-enabled delegation. Very cool. I'm thinking of the case where someone has old space, across several RIRs, and some ERX space can have reverse DNS secured with DNSSEC and some cannot. Does the update check that a given DOMAIN object is actually secure before accepting a "ds-rdata:" field? Or is there any warning or other indication on the reply from the RIPE database? I don't know what the timelines are for the remaining RIRs to implement DNSSEC for the reverse tree, so maybe this is not important. :) Thanks, -- Shane From wnagele at ripe.net Tue May 10 12:09:30 2011 From: wnagele at ripe.net (Wolfgang Nagele) Date: Tue, 10 May 2011 12:09:30 +0200 Subject: [dns-wg] DNSSEC Provisioning for ERX Space Held with APNIC In-Reply-To: <1305018036.2331.7.camel@shane-desktop> References: <4DC3E7EC.6060300@ripe.net> <1305018036.2331.7.camel@shane-desktop> Message-ID: <4DC90EDA.8030102@ripe.net> Hi Shane, > Does the update check that a given DOMAIN object is actually secure > before accepting a "ds-rdata:" field? Or is there any warning or other > indication on the reply from the RIPE database? There are two things. One is that we only accept the ds-rdata once we have the OK from the RIR receiving that space that they can support it. This is what this announcement was about. So if you would try to submit ERX domain objects for space with for instance AfriNIC the database would refuse the ds-rdata there because AfriNIC does not yet support it. The other thing is that the delegation checker like for any other delegation checks if the ds-rdata (at least one of them) corresponds to a DNSKEY in that zone. Cheers, W From mir at ripe.net Tue May 31 15:10:13 2011 From: mir at ripe.net (Mirjam Kuehne) Date: Tue, 31 May 2011 15:10:13 +0200 Subject: [dns-wg] How DNS caching affects the start of World IPv6 Day Message-ID: <4DE4E8B5.2050608@ripe.net> [apologies for duplicates] Dear colleagues, Please find a new article on RIPE Labs showing how DNS caching affects the start of World IPv6 Day and how World IPv6 Day participants can minimise these effects: http://labs.ripe.net/Members/emileaben/when-does-world-ipv6-day-start Kind regards, Mirjam Kuehne RIPE NCC