- Original Message -
From: "Chris Thompson"
To: "George Barwood"
Cc:
Sent: Tuesday, July 05, 2011 9:09 PM
Subject: Re: [DNSOP] CDS RRtype - automated KSK rollover
> On Jun 12 2011, George Barwood wrote:
>
>>I have updated the draft
>>
>>h
- Original Message -
From: "Stephen Morris"
To:
Sent: Thursday, June 30, 2011 3:32 PM
Subject: Re: [DNSOP] CDS RRtype - automated KSK rollover
> On 12/06/2011 20:50, George Barwood wrote:
>> I have updated the draft
>>
>> http://www.ietf.org/id/draft-
I have updated the draft
http://www.ietf.org/id/draft-barwood-dnsop-ds-publish-02.txt
I have added an appendix with an exampler KSK rollover, and made
various generally minor changes.
IANA have now assigned type code 59 for the CDS RRtype.
I'd like to request that the WG adopt this document.
G
> (4) Stop signing with DNS_K_2, start signing with DNS_K_1
Apologies, that should of course be
(4) Stop signing with DNS_K_1, start signing with DNS_K_2
George
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
e signatures.
It is double-DS, but given that DS records are relatively small, this may be a
lesser consideration,
whereas the size of the DNSKEY response is most likely to be affected by
fragmentation/TCP fallback
considerations.
George Barwood
__
- Original Message -
From: "Joe Abley"
To: "George Barwood"
Cc: "Peter Koch" ; "IETF DNSOP WG"
Sent: Monday, April 18, 2011 9:26 PM
Subject: Re: [DNSOP] WGLC [2011-05-17]
> I don't think it's unreasonable for these facts,
- Original Message -
From: "Paul Wouters"
To: "George Barwood"
Cc: "IETF DNSOP WG"
Sent: Monday, April 18, 2011 10:34 PM
Subject: Re: [DNSOP] WGLC [2011-05-17]
> On Mon, 18 Apr 2011, George Barwood wrote:
>
>> (1) It's my belief
he
negative TTL for
the com zone is only 900 seconds (the SOA TTL). This is probably appropriate
for a NameError
(NxDomain) response, but 1 day might be more appropriate for a negative DS
response, to improve
caching performance and reduce load on servers.
I support publication of this docume
- Original Message -
From: "John Levine"
To:
Sent: Wednesday, April 13, 2011 7:04 PM
Subject: [DNSOP] Do negative cache entries have to be consistent ?
> Some friends of mine who run DNSBLs have this idea to manage the
> traffic to their servers: some parts of the IP address space are
- Original Message -
From: "Rickard Bellgrim"
To:
Sent: Wednesday, November 10, 2010 3:53 PM
Subject: [DNSOP] Comments on DS Publication draft
> Hi
>
> I have some comments on the document draft-barwood-dnsop-ds-publish-01:
>
> 1. Introduction (3rd paragraph)
> It is not always the
Joe,
Not directly related to this draft ( it's probably out of scope ), but is there
any guidance on the timing of rollover of the Trust Anchor for the Root Zone?
Specifically, how many days/months in advance will a replacement Trust Anchor
be published before the old Trust Anchor becomes inval
Sorry, the link was for the previous version. The new version is
http://tools.ietf.org/id/draft-barwood-dnsop-ds-publish-01.txt
- George
- Original Message -
From: "George Barwood"
To:
Sent: Saturday, July 03, 2010 10:42 AM
Subject: [DNSOP] Fw: New Version Notification
- Original Message -
From: "IETF I-D Submission Tool"
To:
Sent: Saturday, July 03, 2010 10:22 AM
Subject: New Version Notification for draft-barwood-dnsop-ds-publish-01
>
> A new version of I-D, draft-barwood-dnsop-ds-publish-01.txt has been
> successfully submitted by
- Original Message -
From: "Shane Kerr"
To: "Wolfgang Nagele"
Cc:
Sent: Thursday, July 01, 2010 9:01 PM
Subject: Re: [DNSOP] Fwd: New Version Notification
fordraft-mekking-dnsop-auto-cpsync-00
> I do think that George's approach only makes sense if some more work is
> done fleshing
- Original Message -
From: "Wolfgang Nagele"
To: "George Barwood"
Cc: "Mark Andrews" ;
Sent: Friday, July 02, 2010 8:13 AM
Subject: Re: [DNSOP] Fwd: New Version
Notificationfordraft-mekking-dnsop-auto-cpsync-00
>> This implies extra infrastructu
- Original Message -
From: "Mark Andrews"
To: "Shane Kerr"
Cc: "Wolfgang Nagele" ;
Sent: Friday, July 02, 2010 4:42 AM
Subject: Re: [DNSOP] Fwd: New Version
Notificationfordraft-mekking-dnsop-auto-cpsync-00
[snip]
>> I do think that George's approach only makes sense if some more wo
- Original Message -
From: "Stephan Lagerholm"
To: "George Barwood" ;
Sent: Wednesday, June 30, 2010 2:25 PM
Subject: RE: [DNSOP] Fwd: New Version
Notificationfordraft-mekking-dnsop-auto-cpsync-00
> I would encourage some type of notification mechanism so th
I'd like to encourage some discussion of the relative merits of the UPDATE
approach
http://www.ietf.org/id/draft-mekking-dnsop-auto-cpsync-00.txt
compared to the publication approach outlined in the recent draft at
http://www.ietf.org/id/draft-barwood-dnsop-ds-publish-00.txt
I haven't yet done
- Original Message -
From: "W.C.A. Wijngaards"
To:
Sent: Thursday, June 24, 2010 11:38 AM
Subject: Re: [DNSOP] That key size argument...was Re: The case for single
active key
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi George,
>
> On
- Original Message -
From: "Olafur Gudmundsson"
To:
Sent: Saturday, June 19, 2010 5:01 PM
Subject: Re: [DNSOP] That key size argument...was Re: The case for single
active key
> Should the WG document recommend/bless single key usage in
> some/many cases.
Not sure about recommending,
Chris,
Thanks for your comments.
- Original Message -
From: "Chris Thompson"
To: "George Barwood"
Cc:
Sent: Saturday, May 22, 2010 8:07 PM
Subject: Re: [DNSOP] KSK rollover
> On May 22 2010, George Barwood wrote:
>
>>Well, I have uploaded a dra
Well, I have uploaded a draft :
http://www.ietf.org/id/draft-barwood-dnsop-ds-publish-00.txt
Comments and/or indications of support are of course welome, on or off list.
George
- Original Message -
From: "George Barwood"
To:
Sent: Thursday, May 13, 2010 8:56 AM
Subject: [
- Original Message -
From: "Patrik Wallstrom"
To: "George Barwood"
Cc:
Sent: Thursday, May 13, 2010 9:06 AM
Subject: Re: [DNSOP] KSK rollover
>On May 13, 2010, at 9:56 AM, George Barwood wrote:
>> I have been thinking about KSK rollover in my
that's all I found.
Have I missed something? It seems to me that this is a rather vital component if
DNSSEC is to be widely deployed.
Are there any plans to revive and/or implement these requirements?
George Barwood
___
DNSOP mailing list
DNSOP@iet
- Original Message -
From: "Nicholas Weaver"
To: "George Barwood"
Cc: "Nicholas Weaver" ;
Sent: Saturday, March 20, 2010 2:26 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
On Mar 20, 2010, at 1:50 AM, George Barwood wrote:
>>> Ens
- Original Message -
From: "Nicholas Weaver"
To: "George Barwood"
Cc: "Nicholas Weaver" ;
Sent: Friday, March 19, 2010 7:48 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
>On Mar 19, 2010, at 12:01 PM, George Barwood wrote:
>>
>
> Hmm, you're right, IF the A records are accepted in the additional section,
> true, A records could be added to the RRSET for some of the names.
> But frankly speaking, thats "ADDITIONAL", and shouldn't really be accepted at
> all, and if the resolver DOES cache it, I'd personally call it a b
>> It cuts the response from 4K to 1.5K, and I think fragmentation that
>> contributes
>> to these attacks being damaging.
> All I need to do is find a set of open resolvers which don't have such limits
> to do juuust fine.
Eventually the open resolvers will get updated, and thus these attac
>> There are advantages besides messages being lost.
>> It also prevents spoofing of fragments, and limits amplification attacks.
>It doesn't limit amplification attacks by much if at all
It cuts the response from 4K to 1.5K, and I think fragmentation that contributes
to these attacks being dama
- Original Message -
From: "Nicholas Weaver"
To: "George Barwood"
Cc: "Nicholas Weaver" ; "Matt Larson"
;
Sent: Friday, March 19, 2010 12:33 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
>On Mar 19, 2010, at 12:21 AM, George Ba
- Original Message -
From: "Nicholas Weaver"
To: "Matt Larson"
Cc: ; "Nicholas Weaver"
Sent: Tuesday, March 09, 2010 3:31 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
>
> On Mar 9, 2010, at 7:17 AM, Matt Larson wrote:
>
>&
- Original Message -
From: "Jim Reid"
To: "George Barwood"
Cc:
Sent: Wednesday, March 17, 2010 12:23 PM
Subject: Re: [DNSOP] m.root-servers.net DNSSEC TCP failures
> On 17 Mar 2010, at 11:28, George Barwood wrote:
>
>> It seems that m.root-server
It seems that
m.root-servers.net
is now serving DNSSEC, but does not have TCP, so the following queries all fail
dig any . @m.root-servers.net
dig rrsig . @m.root-serves.net
dig any . @m.root-servers.net +dnssec +bufsize=1400
None of these are normal queries, but seems a bit doubtful even so.
- Original Message -
From: "Joe Abley"
To: "Tony Finch"
Cc: "George Barwood" ;
Sent: Monday, March 08, 2010 4:22 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
>On 2010-03-08, at 11:18, Tony Finch wrote:
>> On Mon, 8 Mar 2010,
> But since unless you manually or do some other finagling can't easily
> establish trust if you don't have trust above, root-servers.net should only
> sign after .net is signed at this point in the rollout.
The dependency on .net for the root name servers seems strange to me.
Intuitively, I sh
- Original Message -
From: "Jim Reid"
To: "George Barwood"
Cc:
Sent: Sunday, March 07, 2010 10:20 AM
Subject: Re: [DNSOP] Should root-servers.net be signed
> On 7 Mar 2010, at 08:06, George Barwood wrote:
>
>> If root-servers.net is unsigned, it
I have been wondering about this.
For a resolver behind a NAT firewall that removes port randomization,
it is possible for an attacker to spoof the priming query ( only 16 bits of
ID protection ).
If root-servers.net is unsigned, it's not possible for the resolver to validate
the set of root IP a
Any reaction to this CircleID article ?
http://www.circleid.com/posts/dns_resolvers_and_dnssec_roll_over_and_die/
It seems that BIND and Unbound can
"enter a mode of sustained, repeated and very rapid querying of DNS servers
for DNSKEY and RRSIG Resource records, causing potential problems
- Original Message -
From: "Jim Reid"
To: "George Barwood"
Cc: "IETF DNSOP WG"
Sent: Saturday, January 16, 2010 1:25 PM
Subject: signing glue and additional data
> On 16 Jan 2010, at 11:17, George Barwood wrote:
>
>> To correct my stat
> Why would glue records be signed? That's not normal in DNSSEC, AFAIK.
To correct my statement, the following query shows that glue records may be
signed
dig soa se @a.ns.se + dnssec
wich has a response size of 2944 bytes. However, most of this is Additional
Section RRSIGS, and
dig soa se @
- Original Message -
From: "Olafur Gudmundsson"
To:
Sent: Wednesday, January 13, 2010 6:19 PM
Subject: [DNSOP] Priming query transport selection
> 26 signed glue records will require about 5K answer if each RRSet is
> signed by a single 1024 bit RSA key.
> This will never fit into an
Ray,
I have read the draft, found no problems other than the missing security
considerations
( I don't see any particular security considerations ), and fully support it.
Did you consider a "referral" model using NS records?
LOCAL.ARPA.9000NSA.LOCAL.ARPA.
LOCAL.ARPA.9000NS
-considered-harmful-00.
+1
I believe that draft-livingood-dns-redirect-00 is fundamentally misconceived
and wrong.
I oppose it's adoption as a WG document.
"You can put lipstick on a pig, but it's still a pig."
Best wishes,
George Barwood
UK
> Kind regards,
>
>
I'm seeing a malformed response to EDNS options from the name servers for
atdmt.com, e.g.
dig +nsid clk.atdmt.com @glb04.aquantive.com
reports
;; Warning: Message parser reports malformed message packet.
;; WARNING: Messages has 95 extra bytes at end
The problem seems to be triggered by any ED
it should be
fairly good I think.
George Barwood
- Original Message -
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <[EMAIL PROTECTED]>
To:
Sent: Monday, November 03, 2008 10:47 PM
Subject: [DNSOP] Fwd: I-D Action:draft-pettersen-subtld-structure-04.
45 matches
Mail list logo
