[dns-operations] [Zonemaster] DNS zone/service checking tool features survey

Hi All, Thanks for responding one response per user. Apologies for cross-posting. *Access*: All *Close date*: 03/04/2015 *Survey*: https://fr.surveymonkey.com/r/zonemaster *Background*: "Afnic" and "IIS.SE" are currently in th

Re: [dns-operations] CloudFlare policy on ANY records changing

On Mon, Mar 9, 2015 at 10:58 PM, Mark Andrews wrote: > > > > In message < > cagmqtqjrpx_xg_ojtshsw5yqaefkzwdma16xw7iry9pr0_f...@mail.gmail.com> > , Yunhong Gu writes: > > > > Returning NOTIMP may confuse resolvers as it is not clear "what is not > > implemented". > > Which is why you only change

Re: [dns-operations] CloudFlare policy on ANY records changing

On Mar 10, 2015, at 6:25 AM, Yunhong Gu wrote: > So the problem is, why NOTIMP? REFUSED sounds like a better choice. +1. "REFUSED" exactly describes what is going on. --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net htt

Re: [dns-operations] Saga of HBONow DNSSEC Failure

On Mar 9, 2015, at 23:50 , Livingood, Jason wrote: > So earlier today HBO announced a new HBONow streaming service (at an Apple > event). The FQDN to order, which should have been DNSSEC-enabled, was > order.hbonow.com. This unfortunately suffered from a rather inconveniently > timed DNSSEC

Re: [dns-operations] Saga of HBONow DNSSEC Failure

Jason- Thank you for sharing the details. Another excellent real world example. Too bad it caused you consternation. -Rick From: dns-operations [mailto:dns-operations-boun...@dns-oarc.net] On Behalf Of Livingood, Jason Sent: Monday, March 09, 2015 8:50 PM To: dns-operations Subject: [dns

Re: [dns-operations] Saga of HBONow DNSSEC Failure

On Tue, Mar 10, 2015 at 11:09 AM, Matthew Pounsett wrote: > > On Mar 9, 2015, at 23:50 , Livingood, Jason > wrote: > >> So earlier today HBO announced a new HBONow streaming service (at an Apple >> event). The FQDN to order, which should have been DNSSEC-enabled, was >> order.hbonow.com. This

Re: [dns-operations] Saga of HBONow DNSSEC Failure

On 3/9/15, 23:50, "Livingood, Jason" wrote: >So earlier today HBO announced a new HBONow streaming service (at an >Apple event). The FQDN to order, which should have been DNSSEC-enabled, >was order.hbonow.com. This unfortunately suffered from a rather >inconveniently timed DNSSEC problem >(http:/

Re: [dns-operations] CloudFlare policy on ANY records changing

On Tue, Mar 10, 2015 at 07:53:51AM -0700, Paul Hoffman wrote: > On Mar 10, 2015, at 6:25 AM, Yunhong Gu wrote: > > So the problem is, why NOTIMP? REFUSED sounds like a better choice. > > +1. "REFUSED" exactly describes what is going on. Another +1. It's comparable to AXFR/IXFR from an unauthori

Re: [dns-operations] CloudFlare policy on ANY records changing

On Mar 10, 2015, at 8:46 AM, David C Lawrence wrote: > > Paul Hoffman writes: >> On Mar 10, 2015, at 6:25 AM, Yunhong Gu wrote: >>> So the problem is, why NOTIMP? REFUSED sounds like a better choice. >> >> +1. "REFUSED" exactly describes what is going on. > > One down side there, however, is

Re: [dns-operations] Saga of HBONow DNSSEC Failure

On Mar 10, 2015 12:16 PM, "Edward Lewis" wrote: > ... > Perhaps Comcast could install little squirrel > feeders in the neighborhood. > That they don't, and have let this problem go unabated for years, illustrates their bias. #nutneutrality Apologies, Eli _

Re: [dns-operations] CloudFlare policy on ANY records changing

Paul Hoffman writes: > On Mar 10, 2015, at 8:46 AM, David C Lawrence wrote: > > One down side there, however, is that REFUSED as understood by > > resolvers commonly has the semantic currently that the name is not > > hosted by the server at all. > > If a resolver is sending an ANY before it send

Re: [dns-operations] Saga of HBONow DNSSEC Failure

On 3/10/15, 12:55 PM, "Eli Heady" mailto:eli.he...@gmail.com>> wrote: On Mar 10, 2015 12:16 PM, "Edward Lewis" mailto:edward.le...@icann.org>> wrote: > ... > Perhaps Comcast could install little squirrel > feeders in the neighborhood. > That they don't, and have let this problem go unabated fo

Re: [dns-operations] Saga of HBONow DNSSEC Failure

On 3/10/15, 12:11 PM, "Edward Lewis" wrote: >I (as well as others) knew this day would come - >when an ISP would get the brunt of someone's DNSSEC misfire. (Others >include many who worked on the original design and deployment workshops.) It won¹t be the last time! ;-) >The only way I can make

[dns-operations] What would it take...

...to prevent another DS<-->DNSKEY mishap from happening again? I'm presenting the message to the DNS Operations list of DNS-OARC. (Being subscribed to so many DNS lists I keep forgetting if I'm acting as an IETF participant or talking as a past operator of DNS or as ) In short, think about

Re: [dns-operations] What would it take...

In message , Edward Lewis writes: > Content-transfer-encoding: 7bit > > ...to prevent another DS<-->DNSKEY mishap from happening again? > > I'm presenting the message to the DNS Operations list of DNS-OARC. (Being > subscribed to so many DNS lists I keep forgetting if I'm acting as an IETF > pa

[dns-operations] Fwd: [nznog] DNSSEC validation at Spark NZ

Forwarded Message Subject: [nznog] DNSSEC validation at Spark NZ Date: Tue, 10 Mar 2015 11:45:27 +1300 From: Sebastian Castro Organization: .nz Registry Services To: nz...@list.waikato.ac.nz Hi: We'd like to share a short technical blog post from NZRS about Spark NZ enabling D

Re: [dns-operations] [DNSOP] dnsop-any-notimp violates the DNS standards

Regarding the statement "query type ANY 'matches all RR types CURRENTLY IN THE CACHE'." Actually, there's nothing in RFC 1034 that clearly *mandates* this behavior -- Section 3.7.1 says only that a QTYPE of * "matches all RR types", whereas Section 5.3.3 ("Algorithm") says to return "the answer

Re: [dns-operations] What would it take...

On 3/10/15, 16:45, "Mark Andrews" wrote: > >Why don't we just implement TSIG signed updates... In the sense of "baby steps first" - what I'm driving towards "error detection", ensuring that the zone-to-be is in line with it's environment. Getting to "error correction" is the next level, but comp

Re: [dns-operations] CloudFlare policy on ANY records changing

On Tue, 10 Mar 2015, Chris Adams wrote: > A problem with ever using ANY to get "more information" from a cache is > the client's/applications's assumption that all requests will go to the > same server. Even if a client sends requests to the same IP, anycast > can mean they go to a different serve

Re: [dns-operations] What would it take...

In message , Edward Lewis writes: > > > >Why don't we just implement TSIG signed updates... > > In the sense of "baby steps first" - what I'm driving towards "error > detection", ensuring that the zone-to-be is in line with it's environment. > Getting to "error correction" is the next level, but

Re: [dns-operations] What would it take...

Tsig won't scale for something like this. Please consider sig0. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-opera

Re: [dns-operations] What would it take...

In message <1fb3db93-eb08-4864-9d3c-e48da9fc5...@redbarn.org>, P Vixie writes: > Tsig won't scale for something like this. Please consider sig0. I've got no objection to sig(0) but why won't it scale? There is a existing relationship so public key cyptography isn't needed. Sig(0) would require t