9
has been applied without changing the DS RRset in the root zone.
The mismatched KSK and DS have not changed since then. For a TLD, this
seems to be taking an inordinately long time to sort out.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukN
n--80aswg.
give SERVFAILs which can be avoided by adding the +cd option.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukRoger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715 Cambridge CB3 0RB, Unite
On Oct 24 2013, Dan York wrote:
On 10/24/13 9:12 AM, "Chris Thompson" wrote:
At 13:01 23-10-2013, Edward Lewis wrote:
My sensors show 4 new gTLDs in the last hour or so...IDN,
non-ccTLD...added between 1800 and 1900 UTC.
Not mentioned yet is that all four appeared already signe
ts out why that is. "*.xn--80asehdb"
(for example) isn't covered by the sole NSEC3 returned, even if
the queried name is.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukRoger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 12
TLDs have all NS records inside themselves. These include 51 ISO3166
ccTLDs, 5 ASCII gTLDs (biz, mil, net, tel, travel) and [now!] just one
IDN gTLD (the above).
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukRoger Needham Building, 7 JJ Th
such cases.)
[*] "sibling glue" is what the BIND documentation (e.g. the man page
for named-checkzone) calls it. It may not be standard terminology.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukRoger Needham Building, 7 JJ Thomson
are being returned.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukRoger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom.
___
dns-operations mai
gallery
graphics
land
plumbing
sexy
tattoo
technology
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukRoger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom
more of a problem: sap for
instance.
"wpad" ?
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukRoger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom.
___
records in in-addr.arpa?
(Of course we could ask the same question of the other RIRs as well...)
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukRoger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715 Cambridge CB3 0RB, Unit
On Nov 18 2013, Anand Buddhdev wrote:
On 17/11/2013 18:57, Chris Thompson wrote:
Hi Chris,
As a matter of interest to many of us, what are ARIN's operational
procedures for interlocking KSK rollovers in NNN.in-addr.arpa zones
with the change of DS records in in-addr.arpa?
(Of cour
ey
think of the fact that the same KSK/DS mismatch is still there, three
months on.
Apart from that, all the RRSIGs in the zone expired on 2013-09-20.
One has to feel that the administrators of this TLD should never have
attempted to make it signed, if this is the best they can do
o mean. Not that it matters.
I hope we aren't going to see TXT records containing fatuous legal
disclaimers added to DNS responses in the annoying way that they are
too often used in e-mail... :-)
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.a
there? "In the absence of validation" might be an explanation, though.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukRoger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715
r IPv6 address space - because JANET have still not got around to
signing the intermediate zones between us and RIPE-NCC. It's the main
reason we can't abandon DLV yet.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukRoger Needham Buildi
kipedia.org/wiki/List_of_countries_by_population
the largest country with (currently) unsigned ccTLD is Indonesia ("id"),
although they have been experimenting recently.
Using https://en.wikipedia.org/wiki/List_of_countries_and_dependencies_by_area
on the other hand does put Australia in the
An record for c.root-servers.net (2001:500:2::c) has appeared in the
zone and in the additional section of priming responses from the root servers,
but ftp://{ftp,rs}.internic.net/domain/named.{cache,root} do not include it yet.
Should I just wait patiently until they do? :-)
--
Chris
-debugger.verisignlabs.com/ agrees with me.
Is it significant that both TLDs were created on 2014-01-03?
http://newgtlds.icann.org/en/program-status/delegated-strings ascribes
them to different organisations, but they are hosted on the same
nameservers (zdnscloud.com).
--
Chris Thompson University of
.org referencing the current
KSK. But the mismatching DS is still there in the root zone, so the DLV
record isn't helping any validator using a root zone trust anchor, even
if it is using lookaside validation as well.
--
Chris Thompson University of Cambridge Information Services,
became Solaris 7 at FCS.
So BIND 9.11 could transmogrify into BIND 11 ...
--
Chris Thompson University of Cambridge Information Services,
Email: c...@uis.cam.ac.ukRoger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom
sses.
It isn't obvious that this does any harm - RFC1918 reverse queries that
escape onto the Internet get an NXDOMAIN one way or another, but the
inconsistency is somewhat confusing.
--
Chris Thompson University of Cambridge Information Services,
Email: c...@uis.cam.ac.ukRo
which it should try first will "depend on local circumstances, such
as performance of the relevant networks" ...
--
Chris Thompson University of Cambridge Information Services,
Email: c...@uis.cam.ac.ukRoger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1
Ds "0" .. "255" could be usefully black-holed by
DNAME'ing them to "EMPTY.AS112.ARPA" once we have
http://tools.ietf.org/html/draft-ietf-dnsop-as112-dname-03
deployed?
--
Chris Thompson University of Cambridge Information Services,
Email: c...@uis.c
to inflict fire and brimstone on the perpetrators, with wailing and
gnashing of teeth ... [oops, some sort of mixup with Luis Suarez there]
--
Chris Thompson University of Cambridge Information Services,
Email: c...@uis.cam.ac.ukRoger Needham Building, 7 JJ Thomson Avenue,
Phone
Same for gmail.co.nz, gmail.es, gmail.in,
but I don't think I am going to work through all the ccTLDs!
I expect only someone from Google could really explain what they are up to...
--
Chris Thompson University of Cambridge Information Services,
Email: c...@uis.cam.ac.uk
On Jul 20 2014, Stephane Bortzmeyer wrote:
Note that they are validators:
https://dns.watch/
But I notice that dns.watch itself is not signed ...
--
Chris Thompson University of Cambridge Information Services,
Email: c...@uis.cam.ac.ukRoger Needham Building, 7 JJ Thomson
ion.otsuka.
and the corresponding RRSIGs.
What do people think about this business? Is anyone taking specific precautions
to detect attempts to connect to 127.0.53.53?
--
Chris Thompson University of Cambridge Information Services,
Email: c...@uis.cam.ac.ukRoger Needham Building,
all about...)
--
Chris Thompson University of Cambridge Information Services,
Email: c...@uis.cam.ac.ukRoger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom.
___
dns-operations ma
ions generate
2^30+3 but newer ones 2^32+1. I am not sure yet just when it changed,
but OpenSSL 1.0.0 certainly generates the latter.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +
There seems to be a DS / DNSKEY mismatch for this APNIC reverse zone.
http://dnssec-debugger.verisignlabs.com/e.0.1.0.0.2.ip6.arpa
and http://dnsviz.net/d/e.0.1.0.0.2.ip6.arpa/dnssec/ agree.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.uk
cache).
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
x27;t seem to have any trouble with this.
Some of the DNSSEC checking sites seem not to try all the nameservers,
at least by default.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 3
. Sharing experiences about configurations
might usefully be done there (always remembering that the black hats may be
listening, of course).
We have turned on rate limiting on our authoritative nameservers with
good effect.
--
Chris Thompson University of Cambridge Computing Service
x27;t have to have the same TTL.
They do seem to have made them uniformly 3600 st the authoritative
servers now.
I could find other things to complain about them, though, such as
how they don't support EDNS, and the IPv6 addresses seem not to
be working from here...
--
Chri
only with KSK 64326 and ZSK 48824.
Nice DNSviz graph.
Looks like the DS record has been updated to refer to the KSK 64326 now.
A bit of "rndc flushname verisigninc.com" made the domain resolve again.
--
Chris Thompson University of Cambridge Computing Service,
Email:
round robin" any day) for each response.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
___
dns-operations mailing
an "use the web interface". It certainly would if
you were in fact updating the RIPE NCC database.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +
On Jul 24 2012, Joe Abley wrote:
On 2012-07-24, at 08:03, Chris Thompson wrote:
[...]
"Talk" ought to mean "use the web interface". It certainly would if
you were in fact updating the RIPE NCC database.
PGP-signed e-mail to the auto-...@ripe.net robot still works jus
One data point: of 89 TLDs with DS records in the root zone,
5 use type 1 (SHA-1) only [they are BR, MM, NA, PR, TH]
47 use both types 1 and 2
37 use type 2 (SHA-256) only
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums S
re near having a DS in the root zone yet.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
___
dns-operations mailin
e DS records are for keys with ids 17106 and 21774. The DNSKEY
corresponding to the latter is revoked, while the one corresponding to
the former is present but is not used to sign the DNSKEY RRset. The only
KSK that is so used has id 21138, and there is no DS referencing it.
--
Chris Thompson
s.research.icann.org/dns/tld_report/ for
the last couple of days, despite the fact that it has DS records in the
root zone. And in fact a validating resolver gets SERVFAILs for it.
The signatures on the DNSKEY RRset have apparently been fixed within the
last few hours.
--
Chris Thompson
A.rname for several other zones[*], which
probably appears in no unrestricted web pages, gets almost none.
[*] No, of course I'm not going to say which they are here... :-)
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site,
th TC set) out of all the root
servers that I tried.
To me, a minimal truncated response is one with at most the question
section non-empty.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +44 12
On Jan 10 2013, Tony Finch wrote:
Chris Thompson wrote:
On Jan 10 2013, Tony Finch wrote:
>
> NSD I'm not sure about since the root servers that run NSD send
> minimal truncated responses to ANY queries, and I don't know of other
> handy NSD servers to test.
The do
ave
written exactly the same paragraph again.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
___
dns-operations mail
em only on Sunday:
Is fudging the expiry times like that really a good idea? If all
all validators allowed a 10% overrun, DNS operators would just
get 10% sloppier and we would back where we started.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac
-22 03:12:30 UTC.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
___
dns-operations mailing list
dns-operations
f.cctld.us. 2001:500:3682::11
k.cctld.us. 2001:503:e239::3:1
work fine.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom
) seems quite a strange thing for even the
usual run of idiot firewall software to be doing.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom
NSKEY records got out of step in December 2011.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
___
dns-operations ma
ew version, generated today, on the ARIN nameservers. Unfortunately, this
one has a mismatch between the DNSKEY records and the DS in the parent
zone - i.e. we are back in the December 2011 scenario.
Jinxed, indeed... :-(
--
Chris Thompson University of Cambridge Computing Service
ith serial 2013062400.
[I was amused, in a way, to notice that INT still has ns1.cs.ucl.ac.uk
as one of its nameservers. A truly venerable server, and you can really
believe the result of running "dig CH TXT version.bind @ns1.cs.ucl.ac.uk".]
--
Chris Thompson University of Cambrid
ing the DS RRset in the root zone.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.ukNew Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
___
dns-operations mailin
54 matches
Mail list logo
