Hello,
I stumbled in my resolver logs over validation failures with
hollington.ca (I'm not related to them, it is just a weird case).
In short: bind and unbound fail to validate, Google, dnsviz (
http://dnsviz.net/d/hollington.ca/dnssec/ ) or dnssec-debugger (
http://dnssec-analyzer.verisignlabs.
On 6/9/15 2:47 AM, Gilles Massen wrote:
In short: bind and unbound fail to validate, Google, dnsviz (
http://dnsviz.net/d/hollington.ca/dnssec/ ) or dnssec-debugger (
http://dnssec-analyzer.verisignlabs.com/hollington.ca ) are fine.
More detailed: delv complains with
;; validating hollington.ca/
On 6/9/15, 3:12, "Kevin Chen" wrote:
>>
>>which looks quite simple, however the KSK DNSKEY from hollington.ca is
>> part of the DS set. The only notable part of the DS set is that it
>> contains 4 keys, among which is an older (?) with a longer hash.
>
>RFC 4509 says:
>
>Implementations MUST
In message , Edward Lewis writes:
>
> On 6/9/15, 3:12, "Kevin Chen" wrote:
>
> >>
> >>which looks quite simple, however the KSK DNSKEY from hollington.ca is
> >> part of the DS set. The only notable part of the DS set is that it
> >> contains 4 keys, among which is an older (?) with a longer ha
On 6/9/15, 7:42, "Mark Andrews" wrote:
>How could it be done "per key"? keyid's don't identify a key. They
>identify a set of keys.
Perhaps but in practice that's not happened. Some key management software
won't produce a DNSKEY RR matching an existing keyid. And - "per key"
could still be d
On 9 June 2015 at 14:53, Edward Lewis wrote:
> On 6/9/15, 7:42, "Mark Andrews" wrote:
> ents that can be referenced
> separately (like in RFP's and contracts). I found that trying to make
> code prefer newer technologies over old by fiat seems to backfire (like
> the way DNS used to prefer v6 o
On Tue, Jun 9, 2015 at 5:55 AM, Edward Lewis wrote:
> On 6/9/15, 3:12, "Kevin Chen" wrote:
>
> >>
> >>which looks quite simple, however the KSK DNSKEY from hollington.ca is
> >> part of the DS set. The only notable part of the DS set is that it
> >> contains 4 keys, among which is an older (?) w
On 6/9/15, 10:24, "Casey Deccio" wrote:
> But when you consider a downgrade attack, the attacker only needs the lowest
> hanging fruit. That means that *any* DS (regardless of DNSKEY) with the
> weaker digest type could potentially be used for falsifying a DNSKEY.
I'm just going to throw this o
I'd like to revisit this thread because I never got a response last time.
Original Message
Subject: Re: [dns-operations] [Security] Glue or not glue?
Date: Thu, 07 May 2015 09:54:13 -0400
From: Mark E. Jeftovic
Organization: easyDNS Technologies Inc.
To: Paul Vixie
CC: Stephan
I noticed that the .co TLD servers seem to not respond to various
queries, eg:
dig +norecurse -t openpgpkey roessner.co. @ns1.cctld.co.
dig +norecurse -t cds roessner.co. @ns1.cctld.co.
dig +norecurse -t uri roessner.co. @ns1.cctld.co.
It oddly enough does return answers for the private use ran
Hi Paul,
On 9 Jun 2015, at 12:10, Paul Wouters wrote:
I noticed that the .co TLD servers seem to not respond to various
queries, eg:
dig +norecurse -t openpgpkey roessner.co. @ns1.cctld.co.
dig +norecurse -t cds roessner.co. @ns1.cctld.co.
dig +norecurse -t uri roessner.co. @ns1.cctld.co.
It
Mark E. Jeftovic wrote:
> I'd like to revisit this thread because I never got a response last time.
> ...
> Paul when you say:
>
>> if we're voting, i agree with this recommendation. (we should have named the
>> root name servers X.ROOT-SERVERS without a delegation for .ROOT-SERVERS, so
>> as t
Mark Andrews wrote:
> Additionally there are "risks" with both strategies. If you have
> vanity names then you have the risk of not updating all the glue
> records when you renumber the nameservers.
>
> The biggest issue is not having delegations checked by all parties
> involved in the delega
In message <55771150.7090...@redbarn.org>, Paul Vixie writes:
>
>
> Mark E. Jeftovic wrote:
> > I'd like to revisit this thread because I never got a response last time.
> > ...
> > Paul when you say:
> >
> >> if we're voting, i agree with this recommendation. (we should have named t
> he root n
In message <557784d1.3050...@easydns.com>, "Mark E. Jeftovic" writes:
>
>
> Mark Andrews wrote:
>
> > Additionally there are "risks" with both strategies. If you have
> > vanity names then you have the risk of not updating all the glue
> > records when you renumber the nameservers.
> >
> > Th
15 matches
Mail list logo
