Re: [dns-operations] ccTLD operators

Hi Matteo, I would suggest that you make contact through ccnso (http://ccnso.icann.org/) or through the regional organizations for country code top level domain registries (AFTLD, APTLD, CENTR and LACTLD). Kind regards, Anne-Marie Eklund Löwinder Chief Information Security Officer

Re: [dns-operations] ccTLD operators

You can start with Root Zone Database. http://www.iana.org/domains/root/db There are formal contact addresses. You can get formal responses from them. -- Kazunori Fujiwara, JPRS > From: Matteo Brighi > Good evening.? > > > I am trying to get in touch with ccTLD operators across the world

Re: [dns-operations] Bind v6 TCP listen?

Jared Mauch wrote: > > (aside: really wish bind would launch faster when loading these zones, > or background the loading of the zones and answer those it can). Check out the "map" zone file format in 9.10. Tony. -- f.anthony.n.finchhttp://dotat.at/ Fitzroy, Sole: Southerly 6 to gale 8, occ

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, 26 Nov 2014, Stephane Bortzmeyer wrote: I'm trying to find out if it exists a public IP address which is a black hole, swallowing every packet sent to it. Sometime on this list or on as112-ops, it was pointed out that an operator in Germany did that for a domain - they made it the NS

Re: [dns-operations] Bind v6 TCP listen?

On Wed, Nov 26, 2014 at 12:37:57PM -0500, Jared Mauch wrote: > Is there some specific configuration magic that I’m missing to make bind > listen to TCPv6 sockets? I do realize that in many places DNS and BIND are nearly the same thing, but perhaps we should keep this list for generic DNS things?

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 7:12 PM, Robert Edmonds wrote: > Warren Kumari wrote: >> This thingie has many aspects that look a bunch like AS112 -- I'm >> wondering if it makes sense to also request an AS number for this. >> It's not strictly needed, but having fewer inconsistent origin routes >> is al

Re: [dns-operations] Bind v6 TCP listen?

> On Nov 27, 2014, at 9:27 AM, bert hubert wrote: > > On Wed, Nov 26, 2014 at 12:37:57PM -0500, Jared Mauch wrote: >> Is there some specific configuration magic that I’m missing to make bind >> listen to TCPv6 sockets? > > I do realize that in many places DNS and BIND are nearly the same thing

Re: [dns-operations] cool idea regarding root zone inviolability

Patrik, On Nov 26, 2014, at 10:40 PM, Patrik Fältström wrote: > FWIW, I have been working on this for a while with the Diplo foundation, and > I am happy to answer questions (and of course listen to concerns). It is an interesting idea, but I don't get how it would work. I asked Jovan back wh

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

Mark Andrews wrote: > I would say CNAME/DNAME with a week long ttl to one of the non RFC > 1918 or ULA default local zones but IANA has been tardy about getting > the insecure delegations in place to break the DNSSEC chains of > trust. That way default local zone aware recursive servers would > an

Re: [dns-operations] cool idea regarding root zone inviolability

Having worked on solas at Intl maritime org, I agree with David. There are many parallels to that space and domain name space. We should learn from that experience. Rick Sent from my iPhone > On Nov 27, 2014, at 11:19, David Conrad wrote: > > Patrik, > >> On Nov 26, 2014, at 10:40 PM, Pa

Re: [dns-operations] cool idea regarding root zone inviolability

... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others (who I embarrassing enough have forgotten) are planning on writing a "zone signature" draft (I have an initial version in an edit buffet). The 50,000 meter view is: Sort all the records in canonical order (including glue) Cry

Re: [dns-operations] cool idea regarding root zone inviolability

In message , Warren Kumari writes: > > ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others > (who I embarrassing enough have forgotten) are planning on writing a "zone > signature" draft (I have an initial version in an edit buffet). The 50,000 > meter view is: > Sort all t

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

In message <20141127171135.ga30...@mycre.ws>, Robert Edmonds writes: > Mark Andrews wrote: > > I would say CNAME/DNAME with a week long ttl to one of the non RFC > > 1918 or ULA default local zones but IANA has been tardy about getting > > the insecure delegations in place to break the DNSSEC chai

Re: [dns-operations] cool idea regarding root zone inviolability

On Thursday, November 27, 2014, Mark Andrews wrote: > > In message < > cahw9_ildgnkmervovhhj41fswm6+5yj0tdxrsj17kdhzqty...@mail.gmail.com > > > , Warren Kumari writes: > > > > ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others > > (who I embarrassing enough have forgotten)

Re: [dns-operations] cool idea regarding root zone inviolability

> Warren Kumari > Thursday, November 27, 2014 1:11 PM > ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few > others (who I embarrassing enough have forgotten) are planning on > writing a "zone signature" draft (I have an initial version in an edit > buff

Re: [dns-operations] cool idea regarding root zone inviolability

On Thursday, November 27, 2014, Paul Vixie wrote: > > > Warren Kumari > Thursday, November 27, 2014 1:11 PM > ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others > (who I embarrassing enough have forgotten) are planning on writing a "zone > signature" draft (I have an in

Re: [dns-operations] cool idea regarding root zone inviolability

+1 And if someone is already serving the root zone, they can always modify the server to return AA. I'm also wondering about the use case. Francisco Obispo > On Nov 27, 2014, at 1:55 PM, Paul Vixie wrote: > > > >> Warren Kumari Thursday, November 27, 2014 >> 1:11 PM >> ... and M

Re: [dns-operations] cool idea regarding root zone inviolability

In message <54779dd0.4070...@redbarn.org>, Paul Vixie writes: > > Warren Kumari > > Thursday, November 27, 2014 1:11 PM > > ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few > > others (who I embarrassing enough have forgotten) are planning on > > writin

Re: [dns-operations] cool idea regarding root zone inviolability

On Thursday, November 27, 2014, Francisco Obispo wrote: > +1 > > And if someone is already serving the root zone, they can always modify > the server to return AA. > > I'm also wondering about the use case. > See above - this has *nothing* to do with setting or not setting AA. This simply allows

Re: [dns-operations] cool idea regarding root zone inviolability

Not meant to rain on the parade (but this sounds like it) - early on In the development of DNSSEC we spent a bit of time on SIG(AXFR) which is exactly what you described. We toyed with it and discarded it. I forget why (which makes this a “rain on the parade” email) but for a long time afterwards

Re: [dns-operations] cool idea regarding root zone inviolability

After reading on… I think the rationale of killing SIG(AXFR) was that DNSSEC is there to protect the relying party and not the manager of the zone. I.e., a relying party only cared about the data it received pertinent to the query it issued. This made the building the chain of trust as efficient

Re: [dns-operations] cool idea regarding root zone inviolability

If somebody said to me: "lets have a canonicalize() function which makes a deterministic byte-stream of the state of a zone, and then calculate a checksum over it" I'd struggle to say that was a bad idea. If you have a transform which takes updates in any kind, AXFR or IXFR and can then re-cano

Re: [dns-operations] cool idea regarding root zone inviolability

In message , Edward Lewis writes: > Not meant to rain on the parade (but this sounds like it) - early on In the > development of DNSSEC we spent a bit of time on SIG(AXFR) which is exactly > what you described. > > We toyed with it and discarded it. I forget why (which makes this a "rain > on th

Re: [dns-operations] cool idea regarding root zone inviolability

summary: no worries, this isn't what i thought it was. details below. > Warren Kumari > Thursday, November 27, 2014 2:20 PM > > This allows a slave (or anyone else who wants to validate a zone, e.g > a master loading from disk) to know that they have a full and correct >

Re: [dns-operations] cool idea regarding root zone inviolability

In message <5477dcc2.8050...@redbarn.org>, Paul Vixie writes: > > summary: no worries, this isn't what i thought it was. details below. > > > Warren Kumari > > Thursday, November 27, 2014 2:20 PM > > > > This allows a slave (or anyone else who wants to validate a zone,

Re: [dns-operations] cool idea regarding root zone inviolability

> Mark Andrews > Thursday, November 27, 2014 7:22 PM >> if your master server sends you a final (matching) SOA not having >> stuffed its end of the tcp session with all the right records in >> between, or if your TCP is allowing end-to-end badness without its CRC32 >> detec

Re: [dns-operations] cool idea regarding root zone inviolability

> On 27 Nov 2014, at 17:10, David Conrad wrote: > > On Nov 26, 2014, at 10:40 PM, Patrik Fältström wrote: >> FWIW, I have been working on this for a while with the Diplo foundation, and >> I am happy to answer questions (and of course listen to concerns). > > It is an interesting idea, but I