> > Well, even if you do not want to change the status quo then this
> > complaint has one undoubtful point:
> > This whole BCP (whatever that includes in detail) is nowhere
> > documented.
> It is now, since Anand replied to the list, in <68c1d8f7-7b0b-a5d0-d1
> ed-d75f21562...@ripe.net> .
>
>
On Thu, Jun 13, 2019 at 09:40:20AM +0100, Jim Reid wrote:
> > On 12 Jun 2019, at 21:06, Nick Hilliard wrote:
> >
> > we don't really need this because it's not fixing a problem.
>
> Indeed. There???s no problem here that needs fixing.
>
> > ... the RIPE NCC's record for handling dns delegation
> On 12 Jun 2019, at 21:06, Nick Hilliard wrote:
>
> we don't really need this because it's not fixing a problem.
Indeed. There’s no problem here that needs fixing.
> ... the RIPE NCC's record for handling dns delegation over the years shows
> that they're doing a good job and unless this c
Subject: Re: [dns-wg] NCC reverse delegation criteria Date: Wed, Jun 12, 2019
at 11:06:33PM +0300 Quoting Nick Hilliard (n...@foobar.org):
> Måns Nilsson wrote on 12/06/2019 22:42:
> > I suggest that we perform the absolute minimum of policy footwork to
> > endorse this procedure a
Måns Nilsson wrote on 12/06/2019 22:42:
I suggest that we perform the absolute minimum of policy footwork to
endorse this procedure as is. Because I feel we have a strong if not
absolute consensus for carrying on as usual from those who spoke up here.
we don't really need this because it's not
On 6/11/19 11:10 PM, Jonas Frey wrote:
> This whole BCP (whatever that includes in detail) is nowhere
> documented.
hi,
to be honest there is a meaningful BCP about the topic: RFC 5358, BCP
140, Preventing Use of Recursive Nameservers in Reflector Attacks.
under "Recommended configuration" para
Subject: Re: [dns-wg] NCC reverse delegation criteria Date: Tue, Jun 11, 2019
at 11:10:01PM +0200 Quoting Jonas Frey (j...@probe-networks.de):
> Ian,
>
>
> > I'd argue that it is not controversial at all.
> > We have good BCP and the RIPE NCC delegation checks it.
>
Gert Doering wrote on 11/06/2019 21:50:
On Tue, Jun 11, 2019 at 08:40:05PM +0200, Jonas Frey wrote:
The time window might be small, but serving wrong answers was not
acceptable for us.
ok, but in the automated world of today this small window is likely to
be _really_ small.
Only if everythin
Moin!
On 11 Jun 2019, at 20:40, Jonas Frey wrote:
> I do see 3 major benefits to combine/unify these:
> - "saving" IP addresses (depending of how many you run of course[1])
Should not be a problem with IPv6, and running the same function
like http on the same IP is quite different from running dif
Ian,
> I'd argue that it is not controversial at all.
> We have good BCP and the RIPE NCC delegation checks it.
> By all means wait for the RIPE NCC to respond, but I see no reason to
> change the status quo.
> This seems like a complaint about nothing of importance IMHO.
>
> Ian
Well, even if
> Because 20 years ago, we realised that this is a problem and stopped
> intermingling recursive and authoritative service. Software like the
> djb suite, nsd and unbound was written to assist in this separation.
>
> Thus, noone has bothered to revisit the docs on the subject.
>
> Part of the re
> I suggest we wait for the NCC folks to come back with the exact list of
> requirements used today and starting from those the community, since this is
> more controversial than I and others thought, should try to formulate a
> policy that is consistent with the desires and needs of the communi
Subject: Re: [dns-wg] NCC reverse delegation criteria Date: Tue, Jun 11, 2019
at 07:52:18PM +0200 Quoting Jonas Frey (j...@probe-networks.de):
> It seems to me that all documentation regarding this topic is highly
> outdated (atleast what i have found, see ISC's docs for BIND).
Becau
Hi,
On Tue, Jun 11, 2019 at 08:40:05PM +0200, Jonas Frey wrote:
> > The time window might be small, but serving wrong answers was not
> > acceptable for us.
>
> ok, but in the automated world of today this small window is likely to
> be _really_ small.
Only if everything works perfectly. Espec
Gert,
>
> The time window might be small, but serving wrong answers was not
> acceptable for us.
>
>
ok, but in the automated world of today this small window is likely to
be _really_ small.
>
>
> Can you explain why it would be desirable to *have* these unified?
>
> Gert Doering
>
Hi,
On Tue, Jun 11, 2019 at 07:52:18PM +0200, Jonas Frey wrote:
> If cache poising is beeing taken care of (be it via DNSSEC or else)
> what other reasons are there to not combine both?
Well, the reason we separated these functions (like some 20 years ago)
was "provisioning of customer domains th
> Nope. There are other much more unpleasant impacts: consider cache
> poisoning.
>
> If your authoritative server also handles arbitrary recursive
> queries, I can make your name server query my DNS server which tells
> lies. Unless your server does DNSSEC validation, it will then spread
> these
> None of those organisations run authoritative servers on the same
> open recursive servers, either for direct or reverse domains.
>
>
>
> Rubens
>
>
Rubens,
neither me nor Jim Reid claimed that here, please re-read our replys:
> Run a open resolver and secure it propely
These two thi
> Em 11 de jun de 2019, à(s) 13:58:000, Jonas Frey
> escreveu:
>
>
>>> Run a open resolver and secure it propely
>> These two things are mutually exclusive. Sorry.
>>
>
> Well, then all of these (running open resolvers) must be wrong:
> - Google
> - Cloudflare
> - Quad9
> - OpenDNS
> - Yan
> On 11 Jun 2019, at 17:58, Jonas Frey wrote:
>
>>> Run a open resolver and secure it propely
>> These two things are mutually exclusive. Sorry.
>>
>
> Well, then all of these (running open resolvers) must be wrong:
> - Google
> - Cloudflare
> - Quad9
> ...
They’ve taken business decisions t
> On 11 Jun 2019, at 17:28, Jonas Frey wrote:
>
> As previously noted most (if not all) ccTLD registrys do not block when
> a open recursor is found. (C/N/O: Verisign pass, EU EURID: pass, DE DE-
> NIC: pass with warn).
> Now that these ccTLDs deal with *alot* more nameservers than RIPE
> (prob
> > Run a open resolver and secure it propely
> These two things are mutually exclusive. Sorry.
>
Well, then all of these (running open resolvers) must be wrong:
- Google
- Cloudflare
- Quad9
- OpenDNS
- Yandex
- Comodo
- Norton
- Clean Browsing
- ...
Anyway, isnt this the wrong discussion? Th
> On 11 Jun 2019, at 17:28, Jonas Frey wrote:
>
> Run a open resolver and secure it propely
These two things are mutually exclusive. Sorry.
signature.asc
Description: Message signed with OpenPGP
Subject: Re: [dns-wg] NCC reverse delegation criteria Date: Tue, Jun 11, 2019
at 10:52:00AM +0200 Quoting Anand Buddhdev (ana...@ripe.net):
> Good morning Måns,
>
> We will come back to you shortly with answers to your and others'
> questions in this thread.
Excellent!
Good morning Måns,
We will come back to you shortly with answers to your and others'
questions in this thread.
Regards,
Anand Buddhdev
RIPE NCC
On 10/06/2019 09:22, Måns Nilsson wrote:
> Recently, a discussion regarding the checks performed by the NCC before
> reverse delegation is made came up
> On 10 Jun 2019, at 17:04, Randy Bush wrote:
>
>> I couldn't find out how to use the policy process to get RFC 7344 CDS
>> automation in place :-(
Tony, all you need to do is write a proposal and post it to dns-wg@ripe.net.
I’m sure the WG co-chairs will be happy to advise.
> sounds more l
Dear all,
Is a complete overview of the current policy / testing process
available?
To further this discussion - I think it would be good to have a full
understanding of what the current state of affairs is in this context.
Kind regards,
Job
> I couldn't find out how to use the policy process to get RFC 7344 CDS
> automation in place :-(
sounds more like education and engineering than policy. if not the dns
wg, where may be lost in the s:n, maybe an ncc services request.
randy
Shane Kerr wrote:
>
> The good news is that as a member of the RIPE community, you and all of the
> rest of us have a chance to shape the policy here. If we think that we need a
> RIPE policy or other RIPE community recommendation to the RIPE NCC regarding
> delegation to open resolvers, we have a
Måns,
Speaking mostly as myself, except where indicated below
On 10/06/2019 09.22, Måns Nilsson wrote:
Recently, a discussion regarding the checks performed by the NCC before
reverse delegation is made came up on the members-discuss list. It was
concluded that this should be discussed here
First question is (and RIPE should have the data) how many delegations do
they reject because
the server is an open recursor ? In today's world, I suspect it would be
quite low
Tim
On Mon, Jun 10, 2019 at 3:23 AM Måns Nilsson
wrote:
> Recently, a discussion regarding the checks performed by the
31 matches
Mail list logo
