On 3.6.2015 10:44, Mark Andrews wrote:
> In message <556ea478.80...@redhat.com>, Petr Spacek writes:
>> I would like early feedback about following idea about interaction between DN
>> S
>> updates (RFC 2136) and classless IN-ADDR.ARPA delegation (RFC 2317).
>>
>> In short, the RFC 2317 tells me to
Hi Ed,
On Thu, Jun 25, 2015 at 12:51:46PM +, Edward Lewis wrote:
> >It seems to me that, for any domain name, there are three things that
> >are relevant:
> >
> >1. The namespace.
> >2. The registry for that name (in the old-fashioned, not ICANN, sense)
> >3. The zone at that name.
>
> I h
Hi all,
So, there is a project underway to roll the DNSSEC root key. There has
been much written about this, including SAC063
(https://www.icann.org/en/system/files/files/sac-063-en.pdf[0]), a
DNSSEC Root KSK Rollover Plan Design Team, various consultations with
the community, many presentations a
Moin!
On 29 Jun 2015, at 22:48, Warren Kumari wrote:
I've written a draft that proposes a different way of performing root
key rollover that exposes who all has which key - this allows one to
know that 99.8% of resolvers have the new key, who has the old one,
and who will break.
It does this by
This looks very much like the draft that Olaf, Johan, and I wrote at the same
time MSJ was proposing what we have now.
You might want to talk to either Olaf or Johan for more details. And yes,
this will fail if any of the loopback drafts are deployed.
manning
bmann...@karoshi.com
PO Box 12317
There is much simpler way.
Just add record to the rootzone that is only signed by the new key.
If resolver returns AD bit it has the new key.
All that is needed is to sign a Rrset for a long time and add it at to the
rootzone and make sure no ZSK signs it.
Olafur
On Jun 29, 2015 4:49 PM, "Warren
Bill,
> This looks very much like the draft that Olaf, Johan, and I wrote at the same
> time MSJ was proposing what we have now.
> You might want to talk to either Olaf or Johan for more details.
Don't suppose anyone has a copy of that draft?
> And yes, this will fail if any of the loopback dra
On Mon, Jun 29, 2015 at 5:59 PM, Ralf Weber wrote:
> Moin!
>
> On 29 Jun 2015, at 22:48, Warren Kumari wrote:
>>
>> I've written a draft that proposes a different way of performing root
>> key rollover that exposes who all has which key - this allows one to
>> know that 99.8% of resolvers have the
On Mon, Jun 29, 2015 at 7:28 PM, Olafur Gudmundsson
wrote:
> There is much simpler way.
> Just add record to the rootzone that is only signed by the new key.
> If resolver returns AD bit it has the new key.
>
> All that is needed is to sign a Rrset for a long time and add it at to the
> rootzone a
Olafur Gudmundsson wrote:
>
> There is much simpler way.
> Just add record to the rootzone that is only signed by the new key.
> If resolver returns AD bit it has the new key.
>
> All that is needed is to sign a Rrset for a long time and add it at to
> the rootzone and make sure no ZSK signs it.
Atlas probes can help us we can even measure this from webpages,
cellphones, OS updates can add a test etc.
Olafur
On Jun 29, 2015 7:33 PM, "Warren Kumari" wrote:
> On Mon, Jun 29, 2015 at 7:28 PM, Olafur Gudmundsson
> wrote:
> > There is much simpler way.
> > Just add record to the rootzone th
Section 3 contains a obvious error
"192.0.2.1 -> 2.0.192.in-addr.arpa." should be
"192.0.2.1 -> 1.2.0.192.in-addr.arpa."
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
__
Why, yes, I still do. (and it can be found in the IEtF archives)
https://tools.ietf.org/html/draft-ietf-dnsext-trustupdate-threshold-01
As to why, perhaps I am missing the obvious, but if SUDSTA proceeds, does it
matter if the origin IP of the root zone being served
is sporadically distribute
>>> And yes, this will fail if any of the loopback drafts are deployed.
>> Sorry, I must be missing something obvious. Why?
> As to why, perhaps I am missing the obvious, but if SUDSTA proceeds, does it
> matter if the origin IP of the root zone being served
> is sporadically distributed? It se
On 29June2015Monday, at 19:07, David Conrad wrote:
And yes, this will fail if any of the loopback drafts are deployed.
>>> Sorry, I must be missing something obvious. Why?
>> As to why, perhaps I am missing the obvious, but if SUDSTA proceeds, does
>> it matter if the origin IP of the root
15 matches
Mail list logo
