On Mon, Feb 13, 2012 at 2:31 PM, Tony Finch wrote:
> Florian Weimer wrote:
> >
> > Doesn't the DNSSEC-based mitigation rely on RRSIGs whose validity does
> > not extend too far into the future?
>
> It depends on the TTL of the DS record or its proof of nonexistence.
>
>
Of course, the TTL is als
Florian Weimer wrote:
>
> Doesn't the DNSSEC-based mitigation rely on RRSIGs whose validity does
> not extend too far into the future?
It depends on the TTL of the DS record or its proof of nonexistence.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
North FitzRoy, Sole: Northerly or northweste
* Stephane Bortzmeyer:
> OK, so there is nothing that can be done at the registry level.
Doesn't the DNSSEC-based mitigation rely on RRSIGs whose validity does
not extend too far into the future?
___
Please visit https://lists.isc.org/mailman/listinfo/b
In message <4f394e27.7050...@gmail.com>, pch0317 writes:
> Dear list,
>
> I would like to know in which maximum period of time new value of
> Resource Record (RR) on the DNS server will be propagated via network to
> client.
>
> For example client "D" requests for RR to cache server "C", cache
Am 11.02.2012 um 11:33 schrieb Axel Rau:
>
> Am 10.02.2012 um 01:57 schrieb Mark Andrews:
>
>> You don't submitt the initial DS until the KSK is active and any old
>> state about the DNSKEY as clear caches. I recommend "activate" +
>> "publish" at the same time.
> I see. draft-ietf-dnsop-dnsse
Dear list,
I would like to know in which maximum period of time new value of
Resource Record (RR) on the DNS server will be propagated via network to
client.
For example client "D" requests for RR to cache server "C", cache server
"C" sends request for RR to cache "B" server and "B" cache se
On 02/13/12 18:57, Spain, Dr. Jeffry A. wrote:
Ok, thanks a lot. I thought it was a client process. Now I can query
for the DS, DNSKEY records from isc.org.
Final question -- bind.odvr.dns-oarc.net is a cache right? Does bind
has such a caching program? Do we have a DNSSEC capable resolver in BIN
On 02/13/12 18:41, Phil Mayers wrote:
On 13/02/12 13:03, dE . wrote:
Ok, thanks a lot. I thought it was a client process. Now I can query for
the DS, DNSKEY records from isc.org.
Final question -- bind.odvr.dns-oarc.net is a cache right? Does bind has
such a caching program? Do we have a DNSSE
>> Ok, thanks a lot. I thought it was a client process. Now I can query
>> for the DS, DNSKEY records from isc.org.
>> Final question -- bind.odvr.dns-oarc.net is a cache right? Does bind
>> has such a caching program? Do we have a DNSSEC capable resolver in BIND?
> Bind *is* a caching program.
On 13/02/12 13:03, dE . wrote:
Ok, thanks a lot. I thought it was a client process. Now I can query for
the DS, DNSKEY records from isc.org.
Final question -- bind.odvr.dns-oarc.net is a cache right? Does bind has
such a caching program? Do we have a DNSSEC capable resolver in BIND?
Bind *is*
On 02/13/12 18:16, Spain, Dr. Jeffry A. wrote:
Try this one: dig @bind.odvr.dns-oarc.net. isc.org +dnssec You should
get an AD flag returned and a variety of RRSIG records. Jeff.
I hope I'm not missing any concepts here, but there should be a public key to
verify the RRSIG, where's that? Should
On 13/02/12 12:42, John Hascall wrote:
What I would like to have happen is for the IPv6 () query
for "evil-domain.com" to return "no data", but for the IPv4 (A)
query for "evil-domain.com" to return "CNAME".
Is this possible? If so, how?
Maybe alias the name to a local name, then insert
>> Try this one: dig @bind.odvr.dns-oarc.net. isc.org +dnssec You should
>> get an AD flag returned and a variety of RRSIG records. Jeff.
> I hope I'm not missing any concepts here, but there should be a public key to
> verify the RRSIG, where's that? Shouldn't the server return additional DNSKE
On 13/02/12 12:28, dE . wrote:
On 02/13/12 11:00, Spain, Dr. Jeffry A. wrote:
Using this DNS server, I'm still not getting the DNSKEY for any
DNSSEC capable domain; infact this server has issues -
dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
I'd be really happy if I could get some domain
What I would like to have happen is for the IPv6 () query
for "evil-domain.com" to return "no data", but for the IPv4 (A)
query for "evil-domain.com" to return "CNAME ".
Is this possible? If so, how?
Thanks,
John
___
Please visit https://lists.is
On 02/13/12 11:00, Spain, Dr. Jeffry A. wrote:
Using this DNS server, I'm still not getting the DNSKEY for any DNSSEC capable
domain; infact this server has issues -
dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
I'd be really happy if I could get some domains which are signed.
Try this o
On 09.02.12 11:43, Lyle Giese wrote:
This is just my opinion, but this is not a bug. It's the side effect
of a desirable feature called caching.
It's a design flaw - you cache something forever, even if case you
should not do it. The cache time is given and we should not expand it,
for vali
17 matches
Mail list logo
