--- Begin Message ---
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
All,
Verisign is in the process of increasing the size and strength of
the DNSSEC Zone Signing Keys (ZSKs) for the top-level domains that
it operates. As part of this process, the ZSK for the .COM zone will
be increased in siz
--- Begin Message ---
> On Nov 25, 2019, at 2:19 PM, Florian Weimer wrote:
>
> * Jim Reid:
>
>>> On 25 Nov 2019, at 20:54, Florian Weimer wrote:
>>> Is it because of the incoming data is interesting?
>>
>> Define interesting.
>
> The data could have monetary value. Passwords that are other
--- Begin Message ---
> On Nov 25, 2019, at 1:23 PM, Bill Woodcock wrote:
>
>> On Nov 25, 2019, at 9:54 PM, Florian Weimer wrote:
>> The query numbers are surprisingly low. To me at last.
>
> Duane Wessels did a good study some time ago of queries to the root. I
> believe over 99% were bog
--- Begin Message ---
> On Dec 28, 2019, at 8:50 AM, Matt Nordhoff wrote:
>
> On Mon, Oct 14, 2019 at 6:34 PM Wessels, Duane via dns-operations
> wrote:
>> All,
>>
>> Verisign is in the process of increasing the size and strength of
>> the DNSSEC Zone S
--- Begin Message ---
Thank you, Chris. Some further information: The issue involved a delay of zone
updates, to a single server, over a limited period of time. We are putting in
place additional measures to help prevent a recurrence and will provide more
information if applicable.
DW
> On Fe
--- Begin Message ---
Thanks Viktor, we will investigate and report back.
DW
> On Mar 23, 2020, at 11:39 PM, Viktor Dukhovni wrote:
>
> The podotrack.nl domain has two authoritative servers:
>
>podotrack.nl. IN NS ns1.exsilia.net.
>podotrack.nl. IN NS ns2.exsilia.net.
>
> Both retur
--- Begin Message ---
Viktor,
Thanks again for reporting this. We have identified the source of the problem
and have begun developing a fix. We'll let you know once it has been deployed.
DW
> On Mar 24, 2020, at 8:02 AM, Wessels, Duane wrote:
>
> Thanks Viktor, we will investigate and repo
--- Begin Message ---
Dear DNS operations community,
Last week Verisign determined that the transaction signature (TSIG) keys used
to authenticate and secure root zone transfers from our zone distribution
servers to root server operators were exposed to one or more unauthorized
parties. For the
--- Begin Message ---
> On May 29, 2020, at 2:29 AM, Shane Kerr wrote:
>
> Duane,
>
> I really appreciate this level of transparency, thank you.
>
> This does make me think of a couple of questions.
>
>
> First, I assume that the main goal of TSIG is to prevent modification of the
> zone fil
--- Begin Message ---
Hi Mukund,
We are aware that this situation can arise given certain combinations of
referral size and EDNS0 buffer size. We're also aware of
draft-ietf-dnsop-glue-is-not-optional, and our engineers are figuring out how
best to update our software in that context. It woul
--- Begin Message ---
Hi Calvin, you can poke me.
DW
> On Nov 9, 2020, at 1:05 AM, Calvin Browne wrote:
>
> Caution: This email originated from outside the organization. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
>
>
>
> H
--- Begin Message ---
> On Nov 9, 2020, at 11:44 AM, Warren Kumari wrote:
>
> Erm, what sort of glitch? (seems to work for me - wondering if it is
> transient, or ...)
It was easily fixed. The glitch was a bug in the backend script such that
every request led to an "Internal Server Error".
--- Begin Message ---
> On Feb 8, 2021, at 9:27 PM, Paul Vixie wrote:
>
> i expect i'll crib together some bourne shellack to check my whole signature
> chains and warn me when there's less than 72 hours remaining in any validity
> period. going into SERVFAIL like this is an operational risk i
--- Begin Message ---
> On Feb 8, 2021, at 9:27 PM, Paul Vixie wrote:
>
> i expect i'll crib together some bourne shellack to check my whole signature
> chains and warn me when there's less than 72 hours remaining in any validity
> period. going into SERVFAIL like this is an operational risk i
--- Begin Message ---
> On Feb 9, 2021, at 9:58 AM, Matthew Richardson
> wrote:
>
> On Tue, 9 Feb 2021 16:43:20 +, Duane Wessels wrote:-
>
>> If you use Nagios or something compatible, there is this:
>>
>> http://secure-web.cisco.com/1ZWcEZ_A3D0HVUDh0W30HiqK06_fxVH7k6Y8MQ0xEkq1R7DisrP18N
--- Begin Message ---
On February 26, 2021 at ~1431 EST, Verisign was notified that some
of its root server instances were returning incorrect responses for
queries of type NSEC. We identified the subset of instances affected
and took them out of service (as of ~1506 EST). The remainder of
our sy
--- Begin Message ---
> On Mar 1, 2021, at 4:01 PM, Jim Reid wrote:
>
> The original glue records will not be obsolete even though you believe they
> are. There must be at least one other delegation in the .com registry which
> references the nameserver object(s) for the glue record(s) you th
--- Begin Message ---
> On Mar 2, 2021, at 12:10 PM, Doug Barton wrote:
>
> On 3/2/21 11:49 AM, Andrew Sullivan wrote:
>> On Mon, Mar 01, 2021 at 04:35:47PM -0800, Doug Barton wrote:
>>>
>>>
>>> Perhaps I didn't ask my question clearly enough. Let's take a delegation
>>> for example.com to n
--- Begin Message ---
> On Sep 5, 2021, at 9:08 AM, Matthew Richardson
> wrote:
>
>> the RRSIG TTL should match the NS record TTL, but ..., the validating
>> resolver does not care, and should not, about RRSIG TTL. So the
>> difference between the expiration of the rrsig and the TTL shouldn'
--- Begin Message ---
Moritz,
I can't explain the TXT queries, but the NS queries seem to be Google's method
of doing qname minimization, with an added nonce value. See
https://indico.dns-oarc.net/event/39/contributions/864/ and
https://developers.google.com/speed/public-dns/docs/security?hl=e
--- Begin Message ---
Thanks for the opportunity to add some clarity around J-root and
the arpa zone. Here is a brief history of events that can provide
some context:
In the 1996 time frame there were 9 root servers: A through I. In
addition to the root zone, they also served a number of TLDs,
i
--- Begin Message ---
> On Dec 3, 2021, at 7:05 PM, Paul Vixie via dns-operations
> wrote:
>
>
> 2870 was wrong in this respect, and should be revised to allow ARPA.
>
> vixie
Well, it sort of was. 2870 was updated by 7720, which notes that the
operational requirements are
given in RSSAC0
--- Begin Message ---
All,
Last week, during a migration of one of our DNS resolution sites in Singapore,
from one provider to another, we unexpectedly lost management access and the
ability to deliver changes and DNS updates to the site. Following our standard
procedure, we disabled all transi
--- Begin Message ---
I am pleased to announce that Message Digests for DNS Zones, also known as
ZONEMD, will be added to the root zone later this year. This feature,
specified in RFC 8976, adds cryptographic data protections to the zone as a
whole, allowing the recipient to verify the authenti
nd switch
> to SHA-384 at a later moment? If so, when?
>
> Thanks,
>
> -Otto
>
> On Wed, Jul 19, 2023 at 04:10:25PM +, Wessels, Duane via dns-operations
> wrote:
>
>> Date: Wed, 19 Jul 2023 16:10:25 +
>> From: "Wessels, Duane"
&g
zone file will be per Sept
>>> 6th. Will this ZONEMD record also use a private algorihtm and switch
>>> to SHA-384 at a later moment? If so, when?
>>>
>>> Thanks,
>>>
>>> -Otto
>>>
>>> On Wed, Jul 19, 2023 at 04:10:25PM +, Wes
--- Begin Message ---
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Verisign will soon begin the transition to DNSSEC algorithm 13 (ECDSA)
for the EDU zone. Over the next few days, algorithm 13 signatures will
start to appear in the zone, followed by the algorithm 13 DNSKEY records.
We expect t
--- Begin Message ---
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Verisign is pleased to announce that an algorithm 13 (ECDSA) DS record
has been published for the EDU zone, and the algorithm 8 record has
been removed. Over the next few days, the algorithm 8 DNSKEY records
will be removed from
--- Begin Message ---
Verisign and ICANN were originally planning to enable ZONEMD for
the root zone tomorrow, September 13th. During a deployment to the
operational testing environment, we discovered a minor issue. As
a result, we, in cooperation with ICANN, have decided to postpone
the producti
number, at which time it will become fully verifiable.
DW
> On Sep 12, 2023, at 2:44 PM, Wessels, Duane via dns-operations
> wrote:
>
>
>
> Verisign and ICANN were originally planning to enable ZONEMD for
> the root zone tomorrow, September 13th. During a deployment
--- Begin Message ---
Verisign will soon begin the transition to DNSSEC algorithm 13 (ECDSA) for the
NET zone. Over the next few days, algorithm 13 signatures will start to appear
in the zone, followed by the algorithm 13 DNSKEY records. We expect the DS
record for the NET zone to change from al
--- Begin Message ---
Verisign is pleased to announce that an algorithm 13 (ECDSA) DS record has been
published for the
NET zone, and the algorithm 8 record has been removed. Over the next few days,
the algorithm 8
DNSKEY records will be removed from the NET zone, followed by the removal of
algo
--- Begin Message ---
Verisign will soon begin the transition to DNSSEC algorithm 13 (ECDSA) for the
COM zone. Over the
next few days, algorithm 13 signatures will start to appear in the zone,
followed by the algorithm
13 DNSKEY records. We expect the DS record for the COM zone to change from
al
lgorithm number.
>
> On December 6th we plan to change the root zone ZONEMD record to the SHA384
> algorithm number, at which time it will become fully verifiable.
>
>
> DW
>
>> On Sep 12, 2023, at 2:44 PM, Wessels, Duane via dns-operations
>> wrote:
>>
--- Begin Message ---
Verisign is pleased to announce that an algorithm 13 (ECDSA) DS record has been
published for the
COM zone, and the algorithm 8 record has been removed. Over the next few days,
the algorithm 8
DNSKEY records will be removed from the COM zone, followed by the removal of
algo
--- Begin Message ---
> On Aug 20, 2024, at 6:08 PM, Dave Lawrence via dns-operations
> wrote:
>
>
> From: Dave Lawrence
> Subject: Re: [dns-operations] Survey of How to Solving DNS Errors
> Date: August 20, 2024 at 6:08:10 PM PDT
> To: 苗发生
> Cc: "dns-operations@lists.dns-oarc.net"
>
>
>
--- Begin Message ---
> On Mar 17, 2025, at 11:38 PM, John Kristoff wrote:
>
>
> On Mon, 17 Mar 2025 22:52:08 +0700
> Ondřej Surý wrote:
>
>> Could this be Chromium?
>>
>> https://blog.verisign.com/domain-names/chromiums-impact-on-root-dns-traffic/
>
> I don't think so. For starters, the
--- Begin Message ---
Verisign would like to see if any recursive resolver or authoritative name
server operators are interested in identifying, implementing, and testing
automated technologies that allow us to share operational data in near real
time. The idea is to gain early awareness of anom
--- Begin Message ---
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Verisign, in its role as the root zone ZSK operator, is transitioning
to a new Hardware Security Module (HSM) product for the root zone's
Zone Signing Key (ZSK). The current HSM vendor, Ultra Intelligence &
Communications, has a
39 matches
Mail list logo
