[dns-operations] Few questions regarding DNSSEC
I have recently started signing all of my domains that I possibly can. I have a couple of questions. 1) Are there any recommendations on how often keys should be rotated? Best practices to perform during the rotation process? 2) I have a zone ircops.org delegated to my own NSes, in it there is a sub-zone dnsbl.ircops.org delegated to other nameservers. Does dnsbl.ircops.org need to be signed with the same key(s) as ircops.org? Thank you for your answers. References to reading materials are much appreciated. -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. It is not logical. Please don't CC me! I'm subscribed to whatever list I just posted on. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Few questions regarding DNSSEC
Thanks you for all your replies. Looks like I have some RFCs to read. :) -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. It is not logical. Please don't CC me! I'm subscribed to whatever list I just posted on. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] Manually adding DS for .ca domains
Anybody from CIRA in here? I've tried emailing to have my DS manually added for my .ca domains but cira_dns...@cira.ca bounces. Help is appreciated. -- staticsafe https://asininetech.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] .au signed
Hey all, .au has started their experimental phase and .au is now signed. Further details: http://www.lists.auda.org.au/pipermail/dnssec-announce/2014-April/01.html -- staticsafe https://asininetech.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] The Decline and Fall of BIND 10
This might be of interest: https://ripe68.ripe.net/presentations/208-The_Decline_and_Fall_of_BIND_10.pdf -- staticsafe https://asininetech.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] The Decline and Fall of BIND 10
On 5/14/2014 14:55, Jonathan Stewart wrote: > This is very interesting, and news to me. > > Has anyone written this story in prose, rather than a slideshow missing the > vocal commentary to expand on the bullet points made? There is this blog post/press release from ISC: https://www.isc.org/blogs/isc-concludes-bind-10-development-with-release-1-2-project-renamed-bundy/ Not as dramatic but there it is. :) -- staticsafe https://asininetech.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] The Decline and Fall of BIND 10
On 5/14/2014 15:01, Gilles Massen wrote: > > With sound and in color. > > https://ripe68.ripe.net/archives/video/153/ > > Gilles Thanks for the link! -- staticsafe https://asininetech.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Problems with the IPv6 verification support through tldmon
On 5/15/2014 16:27, Eduardo Mendez wrote: > Regards, > > Today i´ve realized that for everytime i´ve checked IPv6 for all cctlds, > they are in warning. Now for a little more than a day. > > https://tldmon.dns-oarc.net/nagios/ > > Hugs. Looks like the IPv6 connectivity on the host has failed. HOST: ivy Loss% Snt Last Avg Best Wrst StDev 1.|-- 2600:3c03::8678:acff:fe57:aac10.0%100.8 0.7 0.6 0.8 0.1 2.|-- 2600:3c03::8678:acff:fe57:a8410.0%100.7 0.7 0.6 0.7 0.0 3.|-- Vlan480.esd2.mmu.nac.net 0.0%103.7 0.9 0.4 3.7 1.1 4.|-- e1.1.tbr2.tl9.nac.net 0.0%101.4 1.6 1.3 3.5 0.7 5.|-- 2001:518:5001:10::2 0.0%103.1 1.8 1.4 3.1 0.6 6.|-- nyk-tlx-r1-g-1-3.bb.belgacom-ics.net 0.0%101.5 15.8 1.5 144.0 45.0 7.|-- ??? 100.0100.0 0.0 0.0 0.0 0.0 -- staticsafe https://asininetech.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] OVH and DNS amplification attacks
Perhaps this is of some interest to people here: http://status.ovh.net/?do=details&id=4802 -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] .biz DNSSEC failure?
.biz seems to be failing at DNSSEC validation, none of my validating resolvers are able to resolve biz. or any domains underneath. ; <<>> DiG 9.9.3-P1 <<>> biz. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29063 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;biz. IN A ;; Query time: 11 msec ;; SERVER: ::1#53(::1) ;; WHEN: Sat Jun 22 11:44:39 PDT 2013 ;; MSG SIZE rcvd: 32 http://dnssec-debugger.verisignlabs.com/nic.biz http://dnsviz.net/d/nic.biz/dnssec/ -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. Please don't CC! I'm subscribed to whatever list I just posted on. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] DNS, DNSSEC and Google's Public DNS
"For some time now we've been tracking the progress of the deployment of DNSSEC in the Internet. Its been a story of an evolution of the measurement technique, starting with a technique that attempted to guess at the behaviour of resolvers, through to techniques that explicitly pose novel DNS names to clients so as to negate aspects of resolver caching that otherwise complicate the measurement technique." - http://www.circleid.com/posts/20130717_dns_dnssec_and_googles_public_dns_service/ -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. Please don't CC! I'm subscribed to whatever list I just posted on. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] .gov failing dnssec-validation
On Wed, Aug 14, 2013 at 03:31:12PM +0200, Casper Gielen wrote: > It appears that .gov is failing dnssec-validation. > The have switched over to a new key (id 7698, alg 8) without uploading a > new DS to the root. > -- > Casper Gielen | LIS UNIX > PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7 > > Universiteit van Tilburg | Postbus 90153, 5000 LE > Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl Seems to have been fixed. [root@ferrovax ~]# dig nsa.gov ; <<>> DiG 9.9.3-P2 <<>> nsa.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29761 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;nsa.gov. IN A ;; ANSWER SECTION: nsa.gov.300 IN A 65.196.127.226 nsa.gov.300 IN A 65.196.127.225 ;; AUTHORITY SECTION: nsa.gov.82894 IN NS dsdn-gh1-uea05.nsa.gov. nsa.gov.82894 IN NS dsdn-gh1-uea06.nsa.gov. ;; ADDITIONAL SECTION: dsdn-gh1-uea05.nsa.gov. 82894 IN A 63.239.67.11 dsdn-gh1-uea06.nsa.gov. 82894 IN A 63.239.65.41 ;; Query time: 229 msec ;; SERVER: ::1#53(::1) ;; WHEN: Wed Aug 14 07:35:49 PDT 2013 ;; MSG SIZE rcvd: 158 -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. Please don't CC! I'm subscribed to whatever list I just posted on. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
