From jim at rfc1035.com Thu Apr 5 13:47:41 2012 From: jim at rfc1035.com (Jim Reid) Date: Thu, 5 Apr 2012 12:47:41 +0100 Subject: [dns-wg] draft agenda for RIPE64 Message-ID: <6D8D17A0-3F04-428E-8BDE-4BFADD43D0B8@rfc1035.com> Here's the draft agenda for the WG sessions in Ljubljana. It's not clear yet if there will be a report on the SATIN conference. Apart from that, no significant changes are expected. Though there may be the odd tweak to the running order. Have a nice Easter break and hope to see you all at RIPE64. # # $Id: agenda,v 1.6 2012/04/05 11:38:33 jim Exp $ # DRAFT AGENDA FOR RIPE64 - There may be last-minute tweaks [0] Usual administrivia (5 mins) [1] NCC Report (10 mins) A N Other, RIPE NCC [2] DNSSEC in .si (10 mins) Benjamin Zwittnig Observations and problems encountered during the preparations for .si signing, running a signed .si zone and future plans. [3] Dnssexy (15 mins) Willem Toorop, NLnetLabs Dnssexy (DNS SEc proXY) is a software-program to fortify DNSSEC availability. It operates as a bump in the wire between an hidden master and a public slave. It receives DNS-transfers from the hidden master, but only notifies the public slave when all records are properly assessed by means of a user defined programme. [4] Quality of DNS and DNSSEC in the .se zone (20 mins) Patrick Wallstrom, IIS As part of the Healthcheck programme in .SE, IIS have surveyed the .se zone for DNS quality and a more in-depth analysis of DNSSEC quality, looking at all DNSSEC related parameters and unexpected issues. [5] DNSSEC: dealing with hosts that don't get fragments (20 mins) Roland M. van Rijswijk, SURFnet Middleware Services Even of you sign your zone according to the book, querying hosts that don't accept large responses due to them blocking fragments may cause you grief. This presentation outlines the issues you may encounter and provides guidelines for dealing with them based on research we are currently doing at SURFnet. [6] Followup to Plenary DNS Presentations (10 mins) COFFEE [7] Report on SATIN conference? (10 mins) TBD [8] Knot Update (10 mins) Ond?ej Sur?, CZ.NIC [9] OpenDNSSEC Status Update (15 mins) Jakob Schlyter, OpenDNSSEC The soon-to-be-release version 1.4 and roadmap for version 2.0 (planned for release later in 2012) and beyond. [10] ATLAS measurements & tools (10 mins) Robert Kisteleki, RIPE NCC [11] Dense Anycast Deployment of DNS Authority Servers (20 mins) Dave Knight, ICANN A description of the wide-scale anycast deployment of L-Root by ICANN with a focus on operations and architecture. The presentation will include details of the platform, approaches for automating deployment, distributed configuration management, monitoring and measurement. [12] Panel discussion on DNSChanger (30 mins) [13] AOB From jim at rfc1035.com Tue Apr 10 16:03:00 2012 From: jim at rfc1035.com (Jim Reid) Date: Tue, 10 Apr 2012 15:03:00 +0100 Subject: [dns-wg] draft minutes from RIPE63 Message-ID: <92C57C64-66D0-4BEF-B9C3-6F0009A55887@rfc1035.com> Colleagues, at long last here they are! Please send any corrections to dns-wg-chair at ripe.net. -------------- next part -------------- A non-text attachment was scrubbed... Name: ripe63minutes Type: application/octet-stream Size: 34516 bytes Desc: not available URL: -------------- next part -------------- From jim at rfc1035.com Fri Apr 13 14:17:58 2012 From: jim at rfc1035.com (Jim Reid) Date: Fri, 13 Apr 2012 13:17:58 +0100 Subject: [dns-wg] final(?) agenda for RIPE64 Message-ID: Here's what I hope is the final version. The item on the SATIN conference has been dropped in favour of an update on YAFIDA from Peter Janssen. # # $Id: agenda,v 1.7 2012/04/13 12:14:56 jim Exp $ # DRAFT AGENDA FOR RIPE64 - There may be last-minute tweaks [0] Usual administrivia (5 mins) [1] NCC Report (10 mins) A N Other, RIPE NCC [2] DNSSEC in .si (10 mins) Benjamin Zwittnig Observations and problems encountered during the preparations for .si signing, running a signed .si zone and future plans. [3] Dnssexy (15 mins) Willem Toorop, NLnetLabs Dnssexy (DNS SEc proXY) is a software-program to fortify DNSSEC availability. It operates as a bump in the wire between an hidden master and a public slave. It receives DNS-transfers from the hidden master, but only notifies the public slave when all records are properly assessed by means of a user defined programme. [4] Quality of DNS and DNSSEC in the .se zone (20 mins) Patrick Wallstrom, IIS As part of the Healthcheck programme in .SE, IIS have surveyed the .se zone for DNS quality and a more in-depth analysis of DNSSEC quality, looking at all DNSSEC related parameters and unexpected issues. [5] DNSSEC: dealing with hosts that don't get fragments (20 mins) Roland M. van Rijswijk, SURFnet Middleware Services Even of you sign your zone according to the book, querying hosts that don't accept large responses due to them blocking fragments may cause you grief. This presentation outlines the issues you may encounter and provides guidelines for dealing with them based on research we are currently doing at SURFnet. [6] Followup to Plenary DNS Presentations (10 mins) COFFEE [7] YADIFA Update (10 mins) Peter Janssen, EURid [8] Knot Update (10 mins) Ond?ej Sur?, CZ.NIC [9] OpenDNSSEC Status Update (15 mins) Jakob Schlyter, OpenDNSSEC The soon-to-be-release version 1.4 and roadmap for version 2.0 (planned for release later in 2012) and beyond. [10] ATLAS measurements & tools (10 mins) Robert Kisteleki, RIPE NCC [11] Dense Anycast Deployment of DNS Authority Servers (20 mins) Dave Knight, ICANN A description of the wide-scale anycast deployment of L-Root by ICANN with a focus on operations and architecture. The presentation will include details of the platform, approaches for automating deployment, distributed configuration management, monitoring and measurement. [12] Panel discussion on DNSChanger (30 mins) [13] AOB From jim at rfc1035.com Fri Apr 13 14:41:16 2012 From: jim at rfc1035.com (Jim Reid) Date: Fri, 13 Apr 2012 13:41:16 +0100 Subject: [dns-wg] yet another final WG agenda Message-ID: This is almost certainly going to be the final version. Famous last words... I forgot to list Robert as the stuckee for the NCC report in the one sent earlier today. So here it is now: # # $Id: agenda,v 1.8 2012/04/13 12:38:07 jim Exp $ # DRAFT AGENDA FOR RIPE64 - There may be last-minute tweaks [0] Usual administrivia (5 mins) [1] NCC Report (10 mins) Robert Kisteleki, RIPE NCC [2] DNSSEC in .si (10 mins) Benjamin Zwittnig Observations and problems encountered during the preparations for .si signing, running a signed .si zone and future plans. [3] Dnssexy (15 mins) Willem Toorop, NLnetLabs Dnssexy (DNS SEc proXY) is a software-program to fortify DNSSEC availability. It operates as a bump in the wire between an hidden master and a public slave. It receives DNS-transfers from the hidden master, but only notifies the public slave when all records are properly assessed by means of a user defined programme. [4] Quality of DNS and DNSSEC in the .se zone (20 mins) Patrick Wallstrom, IIS As part of the Healthcheck programme in .SE, IIS have surveyed the .se zone for DNS quality and a more in-depth analysis of DNSSEC quality, looking at all DNSSEC related parameters and unexpected issues. [5] DNSSEC: dealing with hosts that don't get fragments (20 mins) Roland M. van Rijswijk, SURFnet Middleware Services Even of you sign your zone according to the book, querying hosts that don't accept large responses due to them blocking fragments may cause you grief. This presentation outlines the issues you may encounter and provides guidelines for dealing with them based on research we are currently doing at SURFnet. [6] Followup to Plenary DNS Presentations (10 mins) COFFEE [7] YADIFA Update (10 mins) Peter Janssen, EURid [8] Knot Update (10 mins) Ond?ej Sur?, CZ.NIC [9] OpenDNSSEC Status Update (15 mins) Jakob Schlyter, OpenDNSSEC The soon-to-be-release version 1.4 and roadmap for version 2.0 (planned for release later in 2012) and beyond. [10] ATLAS measurements & tools (10 mins) Robert Kisteleki, RIPE NCC [11] Dense Anycast Deployment of DNS Authority Servers (20 mins) Dave Knight, ICANN A description of the wide-scale anycast deployment of L-Root by ICANN with a focus on operations and architecture. The presentation will include details of the platform, approaches for automating deployment, distributed configuration management, monitoring and measurement. [12] Panel discussion on DNSChanger (30 mins) [13] AOB From daniel.karrenberg at ripe.net Wed Apr 18 16:12:23 2012 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Wed, 18 Apr 2012 16:12:23 +0200 Subject: [dns-wg] ccTLDs the RIPE NCC provides secondary DNS service for Message-ID: In addition to the response I gave at today's meeting about secondary DNS services here is the current list of ccTLDs that receive this service: ad, ae, af, al, am, an, ar, ba, bg, bi, bj, bt, by, ci, cm, cr, cu, cw, dz, er, et, ga, gd, gp, gs, gu, gy, il, is, jm, jo, kg, kh, kz, lk, lv, ly, ma, mc, md, mg, ml, mm, mt, mu, mw, nc, ne, np, om, ph, ps, py, qa, rs, sa, sd, sm, sn, sv, sy, sz, tc, th, tj, to, tp, tr, tt, ua, ug, uy, va, vg, vn, zw Note that for several of these, we also slave a number of SLDs, like co.TLD, org.TLD and so on. For four of these, we also slave their IDN ccTLDs. Daniel From daniel.karrenberg at ripe.net Fri Apr 20 08:46:52 2012 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Fri, 20 Apr 2012 08:46:52 +0200 Subject: [dns-wg] DNSOK queries to k-root Message-ID: <597FC6BE-2956-4766-A9E5-5DFFCF1F4DA8@ripe.net> Further to Olaf Kolkman's question at the meeting: we publish the number of queries with DNSOK set continuously at http://k.root-servers.org/statistics/ROOT/dnssec.html This can be at all times compared to http://k.root-servers.org/statistics/ROOT/nodes.html So the answer to Olaf's question is that at present roughly two thirds of the queries arriving at k-root have the DO-bit set. From olaf at NLnetLabs.nl Fri Apr 20 09:09:33 2012 From: olaf at NLnetLabs.nl (Olaf Kolkman) Date: Thu, 19 Apr 2012 21:09:33 -1000 Subject: [dns-wg] DNSOK queries to k-root In-Reply-To: <597FC6BE-2956-4766-A9E5-5DFFCF1F4DA8@ripe.net> References: <597FC6BE-2956-4766-A9E5-5DFFCF1F4DA8@ripe.net> Message-ID: <49E7C70A-103C-435F-8292-7535ACB091C5@NLnetLabs.nl> On Apr 19, 2012, at 8:46 PM, Daniel Karrenberg wrote: > > Further to Olaf Kolkman's question at the meeting: we publish the number of queries with DNSOK set continuously at > > http://k.root-servers.org/statistics/ROOT/dnssec.html > > This can be at all times compared to > > http://k.root-servers.org/statistics/ROOT/nodes.html > > So the answer to Olaf's question is that at present roughly two thirds of the queries arriving at k-root have the DO-bit set. > Thanks Daniel, But my question was not statistics about the OK bit (that measures DNSSEC able servers in the field) but about queries for the DNSKEY RRset, since the amount of those queries correlates with the amount of DNSSEC validation that is actually happening. The RIPE NCC staff has been so kind to generate such graph on request, but it would be very nice to have that data available life. Even though the graphs do not demonstrate a significant growth at the moment. --Olaf ________________________________________________________ Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From romeo.zwart at ripe.net Fri Apr 20 09:57:01 2012 From: romeo.zwart at ripe.net (Romeo Zwart) Date: Fri, 20 Apr 2012 09:57:01 +0200 Subject: [dns-wg] DNSOK queries to k-root In-Reply-To: <49E7C70A-103C-435F-8292-7535ACB091C5@NLnetLabs.nl> References: <597FC6BE-2956-4766-A9E5-5DFFCF1F4DA8@ripe.net> <49E7C70A-103C-435F-8292-7535ACB091C5@NLnetLabs.nl> Message-ID: <4F9116CD.6080601@ripe.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Olaf, On 12/04/20 09:09 , Olaf Kolkman wrote: > > On Apr 19, 2012, at 8:46 PM, Daniel Karrenberg wrote: > >> >> Further to Olaf Kolkman's question at the meeting: we publish the >> number of queries with DNSOK set continuously at >> >> http://k.root-servers.org/statistics/ROOT/dnssec.html >> >> This can be at all times compared to >> >> http://k.root-servers.org/statistics/ROOT/nodes.html >> >> So the answer to Olaf's question is that at present roughly two >> thirds of the queries arriving at k-root have the DO-bit set. >> > > > Thanks Daniel, > > But my question was not statistics about the OK bit (that measures > DNSSEC able servers in the field) but about queries for the DNSKEY > RRset, since the amount of those queries correlates with the amount > of DNSSEC validation that is actually happening. > > The RIPE NCC staff has been so kind to generate such graph on > request, but it would be very nice to have that data available > life. Even though the graphs do not demonstrate a significant > growth at the moment. We can certainly investigate the possibility of providing this information on a regular basis. I assume that, given the current change rate, daily updates would suffice, or are you really looking at life as in real time? Cheers, Romeo -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+RFs0ACgkQGRL9suBV+eqU4ACfe+WueuOdGuRjb65TR7CVGGpp 7ooAniIC4L+OBxVXQtmcMGKTY00ND2/e =hnoT -----END PGP SIGNATURE----- From olaf at NLnetLabs.nl Fri Apr 20 10:02:12 2012 From: olaf at NLnetLabs.nl (Olaf Kolkman) Date: Thu, 19 Apr 2012 22:02:12 -1000 Subject: [dns-wg] DNSOK queries to k-root In-Reply-To: <4F9116CD.6080601@ripe.net> References: <597FC6BE-2956-4766-A9E5-5DFFCF1F4DA8@ripe.net> <49E7C70A-103C-435F-8292-7535ACB091C5@NLnetLabs.nl> <4F9116CD.6080601@ripe.net> Message-ID: On Apr 19, 2012, at 9:57 PM, Romeo Zwart wrote: > We can certainly investigate the possibility of providing this > information on a regular basis. I assume that, given the current > change rate, daily updates would suffice, or are you really looking at > life as in real time? Quarterly would be good enough.. ________________________________________________________ Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From Roland.vanRijswijk at surfnet.nl Fri Apr 20 13:37:42 2012 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk) Date: Fri, 20 Apr 2012 13:37:42 +0200 Subject: [dns-wg] DNSOK queries to k-root In-Reply-To: <4F9116CD.6080601@ripe.net> References: <597FC6BE-2956-4766-A9E5-5DFFCF1F4DA8@ripe.net> <49E7C70A-103C-435F-8292-7535ACB091C5@NLnetLabs.nl> <4F9116CD.6080601@ripe.net> Message-ID: Hi Romeo/Olaf, On 20 apr. 2012, at 09:57, Romeo Zwart wrote: >> Thanks Daniel, >> >> But my question was not statistics about the OK bit (that measures >> DNSSEC able servers in the field) but about queries for the DNSKEY >> RRset, since the amount of those queries correlates with the amount >> of DNSSEC validation that is actually happening. >> >> The RIPE NCC staff has been so kind to generate such graph on >> request, but it would be very nice to have that data available >> life. Even though the graphs do not demonstrate a significant >> growth at the moment. > > We can certainly investigate the possibility of providing this > information on a regular basis. I assume that, given the current > change rate, daily updates would suffice, or are you really looking at > life as in real time? We've created similar statistics in the past and saw low but promising numbers for our own signed domains; obviously statistics for the root zone would be more significant in this respect. I'm not familiar enough with your setup to judge what would be a reasonable frequency but daily updates sounds good to me. Cheers, Roland -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From pk at DENIC.DE Thu Apr 26 15:18:44 2012 From: pk at DENIC.DE (Peter Koch) Date: Thu, 26 Apr 2012 15:18:44 +0200 Subject: [dns-wg] FWD from "policy-announce": Cosmetic Surgery Project: Extended Review Period on New Draft, Document for Reverse Address Delegation of IPv4 and IPv6 Address Space] Message-ID: <20120426131844.GC441@x27.adm.denic.de> DNS WG, this announcement is potentially relevant to this forum. Please note that the 'Cosmetic Surgery Project' does not intend to _change_ policy but to enhance the text readability of the document. Discussion is invited onto the address-policy-wg mailing list (see below). -Peter ----- Forwarded message from Emilio Madaio ----- From: Emilio Madaio To: policy-announce at ripe.net Cc: address-policy-wg at ripe.net Subject: [policy-announce] Cosmetic Surgery Project: Extended Review Period on New Draft, Document for Reverse Address Delegation of IPv4 and IPv6 Address Space Date: Thu, 26 Apr 2012 15:10:22 +0200 Reply-To: address-policy-wg at ripe.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 Dear colleagues, As part of the Cosmetic Surgery Project, the RIPE NCC is moving forward with a review of the policy document ripe-302, "Policy for Reverse Address Delegation of IPv4 and IPv6 address space in the RIPE NCC Service Region". A draft of the policy document is online and ready for community review at: https://www.ripe.net/ripe/readability/improving-the-readability-of-ripe-documents The Address Policy Working Group Co-Chairs decided to extend the review period until 24 May 2012 to allow the community more time to give their feedback. Please send your feedback on this draft document to the Address Policy Working Group at . Kind regards, Emilio Madaio Policy Development Officer RIPE NCC ----- End forwarded message -----