In message , Joe Abley writes
:
> On 2010-03-08, at 17:08, George Barwood wrote:
>
> > It's interesting to note that currently
> >
> > dig any . @a.root-servers.net +dnssec
> >
> > truncates, leading to TCP fallback
> >
> > but
> >
> > dig any . @l.root-servers.net +dnssec
>
> > does not tru
On 2010-03-08, at 17:08, George Barwood wrote:
> It's interesting to note that currently
>
> dig any . @a.root-servers.net +dnssec
>
> truncates, leading to TCP fallback
>
> but
>
> dig any . @l.root-servers.net +dnssec
>
> does not truncate ( response size is 1906 bytes ).
A runs BIND9, as
Nicholas Weaver wrote:
> DNSSEC is ONLY useful for things like TXT and CERT records fetched
> by a DNSSEC aware cryptographic application, and that would
> require a valid signature chain from the root(s) of trust
> (either preconfigured or on a path from the signed root) validated
> on the client
In message <43fc3f50679f458a869f99d72ecd1...@localhost>, "George Barwood" write
s:
>
>
>
> - Original Message -
> From: "Joe Abley"
> To: "Tony Finch"
> Cc: "George Barwood" ;
> Sent: Monday, March 08, 2010 4:22 PM
> Subject: Re: [DNSOP] Should root-servers.net be signed
>
>
>
>
I apologize for waiting until the last minute to make updates.
Earlier versions of this draft have been discussed on-list and at the last
two IETF
meetings: draft-howard-isp-ip6rdns-03
Comments from the last meeting were as follows; I think I have responded to
all of them in the new draf
- Original Message -
From: "Joe Abley"
To: "Tony Finch"
Cc: "George Barwood" ;
Sent: Monday, March 08, 2010 4:22 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
>On 2010-03-08, at 11:18, Tony Finch wrote:
>> On Mon, 8 Mar 2010, Joe Abley wrote:
>>>
>>
>>> - signing RO
In message <06d5b206-5ec8-4e2a-9f5e-f6a4a6211...@icsi.berkeley.edu>, Nicholas W
eaver writes:
>
> On Mar 8, 2010, at 7:27 AM, Paul Wouters wrote:
>
> > On Mon, 8 Mar 2010, Joe Abley wrote:
> >
> >> Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I thi
> nk be paraphrased as
On Mon, 8 Mar 2010, Joe Abley wrote:
> On 2010-03-08, at 11:18, Tony Finch wrote:
> > On Mon, 8 Mar 2010, Joe Abley wrote:
> >>
> >
> >> - signing ROOT-SERVERS.NET would result in potentially-harmful large
> >> responses with no increase in security
> >
> > Can't you deal with this by omitting the
On Mar 8, 2010, at 9:31 AM, Thierry Moreau wrote:
> Joe Abley wrote:
>> On 2010-03-08, at 10:27, Paul Wouters wrote:
>>> On Mon, 8 Mar 2010, Joe Abley wrote:
>>>
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I
think be paraphrased as follows:
- howeve
Joe Abley wrote:
On 2010-03-08, at 10:27, Paul Wouters wrote:
On Mon, 8 Mar 2010, Joe Abley wrote:
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be
paraphrased as follows:
- however, since the root zone is signed, validators can already tell when they
are tal
On Mon, 8 Mar 2010, Alfred HÎnes wrote:
At Mon, 8 Mar 2010 09:27:20 -0500 (EST), William F. Maton Sotomayor wrote:
Given that the other two drafts on AS112 are already along the path
to getting considered beyond the WGLC, would it be prudent to
generate a third draft specific to these issues?
At Mon, 8 Mar 2010 09:27:20 -0500 (EST), William F. Maton Sotomayor wrote:
> ...
>
> Given that the other two drafts on AS112 are already along the path
> to getting considered beyond the WGLC, would it be prudent to
> generate a third draft specific to these issues?
Nicely said.
This indeed aga
On 2010-03-08, at 11:18, Tony Finch wrote:
> On Mon, 8 Mar 2010, Joe Abley wrote:
>>
>
>> - signing ROOT-SERVERS.NET would result in potentially-harmful large
>> responses with no increase in security
>
> Can't you deal with this by omitting the root-servers.net RRSIGs from the
> additional se
On Mar 8, 2010, at 8:00 AM, Paul Wouters wrote:
> On Mon, 8 Mar 2010, Nicholas Weaver wrote:
>
>> If your ISP is acting as a MitM on DNS, its acting as a MitM on everything,
>> so DNSSEC buys you f-all if you are using it for A records, because any app
>> using that A record either doesn't tru
On 2010-03-08, at 10:27, Paul Wouters wrote:
> On Mon, 8 Mar 2010, Joe Abley wrote:
>
>> Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think
>> be paraphrased as follows:
>>
>> - if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs
>> over the A and
On Mon, 8 Mar 2010, Joe Abley wrote:
>
> - signing ROOT-SERVERS.NET would result in potentially-harmful large
> responses with no increase in security
Can't you deal with this by omitting the root-servers.net RRSIGs from the
additional section of responses to queries to the root?
Tony.
--
f.anth
On Mon, 8 Mar 2010, Nicholas Weaver wrote:
If your ISP is acting as a MitM on DNS, its acting as a MitM on everything, so
DNSSEC buys you f-all if you are using it for A records, because any app using
that A record either doesn't trust the net or is trivially p0owned by the ISP.
If I detect
On Mar 8, 2010, at 7:27 AM, Paul Wouters wrote:
> On Mon, 8 Mar 2010, Joe Abley wrote:
>
>> Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think
>> be paraphrased as follows:
>>
>> - if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs
>> over the A
At 9:38 AM -0500 3/8/10, Joe Abley wrote:
>I also find Jim's point regarding NET rather compelling. If the NET zone is
>not signed, then validating responses from a signed ROOT-SERVERS.NET zone
>would require yet another trust anchor to be manually-configured.
...and to manually be removed in th
On Mon, 8 Mar 2010, Joe Abley wrote:
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be
paraphrased as follows:
- if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs over
the A and RRSets) which is a potential disadvantage
Is it? Is DNSS
On 2010-03-07, at 03:06, George Barwood wrote:
> I have been wondering about this.
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be
paraphrased as follows:
- if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs over
the A and RRSets) whic
Greetings all,
There's some light discussion on the as112-ops mailing list about
whether or not AS112 should start doing a further two things:
- start replying using IPv6 transport
- amass more delegations for network blocks, like those enumerated in
rfc5735.
Given that the other two draf
* Jim Reid:
> So what? If the served zones are signed, it simply doesn't matter if
> the address of a name server is spoofed or hijacked.
This is only true if the whole DNS tree is signed (and if you don't
value query privacy).
--
Florian Weimer
BFK edv-consulting GmbH htt
23 matches
Mail list logo
