[dns-operations] OARConline 32a ( June 9th) Agenda now published

[Denesh Bhabuta :: DNS-OARC]

Dear colleagues

We are happy to announce the agenda for the inaugural OARConline (June 9th, 
2020 ; 19:00 - 21;00 UTC) is now published and available in the ‘Workshop 
Agenda’ section on the workshop website.




Attending the workshop requires registration and each delegate will receive 
their own unique access link.

Registration is free and only open until 13:00 UTC on June 9th (6 hours before 
the workshop).

Registration page is also at the URL above.

Regards
Denesh
OARC Events Plannager
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Disclosure of root zone TSIG keys

[Wessels, Duane via dns-operations]

--- Begin Message ---
> On May 29, 2020, at 2:29 AM, Shane Kerr  wrote:
> 
> Duane,
> 
> I really appreciate this level of transparency, thank you.
> 
> This does make me think of a couple of questions.
> 
> 
> First, I assume that the main goal of TSIG is to prevent modification of the 
> zone file(s) in transit, more than preventing access. The root zone is 
> public, right?

That is correct.  There was a time when we did not have IP ACLs and TSIG was 
the only method of access control, but that is no longer the case.

> 
> Since the goal is to prevent modification, I guess the root server operators 
> could fetch PGP signatures from the Internic server and verify the zone 
> today. Do you know if there is any documentation covering the operational 
> practices of the root server operators in this regard?

I'm not aware of any such documentation or of any operators that actually do 
that.

> 
> In the future, adding message digests (draft-ietf-dnsop-dns-zone-digest) to 
> the zones and having both that and the DNSSEC signatures verified by root 
> server operators before accepting a new version of the root zone would be a 
> nice additional check. (Whoever thought of those digests seems really 
> on-the-ball. )

Yes, we would very much like to see ZONEMD advance so we can have that check.

> 
> 
> Second, while it is nice that there are IP-based whitelists protecting zone 
> transfers, are there any requirements for IP's on the whitelists to use RPKI 
> or other routing protections? Even if there are no requirements, does 
> Verisign check RPKI if the root server operators *do* sign their routes? We 
> know that there is BGP hijacking in the wild today, so using and encouraging 
> secured routing seems reasonable to me.

Interesting you mention this.  We have been evaluating the pros and cons of 
RPKI publication for our number resources as well as origin validation for 
received routes.  While we are working on this and intend to fully implement 
RPKI given new dependencies it introduces we are being very deliberate and 
working closely with our carrier partners, etc.. to minimize the new risks it 
introduces.  More to come on that in the coming months.

Work is underway now to ensure that we monitor all the root zone distribution 
prefixes just as we monitor own prefixes (commercial and bespoke tools for 
routing system prefixes, attributes, and changes, IRR objects, and RPKI 
objects).  

DW

> 
> 
> Thanks again for the transparency and keep up the good work! 
> 
> --
> Shane




smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [EXT] .iq contacts?

[Jothan Frakes]

They're on the CoCCA platform - I forwarded this to them - sometimes a
different "nudge path"  is effective. -J

On Fri, May 29, 2020 at 8:22 AM Bill Woodcock  wrote:

>
>
> > On May 29, 2020, at 4:52 PM, Jacques Latour 
> wrote:
> >
> > FWIW, replied offline with TLD-OPS contact info.
>
> Anybody other than Saif?
>
> -Bill
>
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [EXT] .iq contacts?

[Bill Woodcock]

> On May 29, 2020, at 4:52 PM, Jacques Latour  wrote:
> 
> FWIW, replied offline with TLD-OPS contact info.

Anybody other than Saif?

-Bill



signature.asc
Description: Message signed with OpenPGP
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [EXT] .iq contacts?

[Jacques Latour]

FWIW, replied offline with TLD-OPS contact info.

>-Original Message-
>From: dns-operations  On Behalf Of Ray 
>Bellis
>Sent: May 28, 2020 5:15 PM
>To: dns-operations@lists.dns-oarc.net
>Subject: [EXT] [dns-operations] .iq contacts?
>
>Has anyone got any working contacts whatsoever at .iq (Iraq?)
>
>Their hidden master has been offline for about a week and of the four
>name servers two are already returning SERVFAIL following the elapsing
>of the SOA expiry timer and ours (sns-pb.isc.org) is due to follow suit
>very soon.
>
>When that happens there'll only be one functioning NS for the ccTLD, and
>for all I know that one might be about to expire the zone too.
>
>thanks,
>
>Ray Bellis
>Director of DNS Operations, ISC.
>___
>dns-operations mailing list
>dns-operations@lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] .iq contacts?

[Warren Kumari]

On Thu, May 28, 2020 at 7:43 PM Warren Kumari  wrote:

>
>
> On Thu, May 28, 2020 at 6:32 PM Ray Bellis  wrote:
>
>>
>>
>> On 28/05/2020 22:56, Viktor Dukhovni wrote:
>>
>> > Indeed this looks rather precarious, and the SOA serial number is not
>> > any higher on the other remaining server, the expiration time is 7 days,
>> > so not much time left if the primary went down in the 21st.
>> >
>> > The MX record for cmc.iq is: cmc.iq. IN MX 0 in.hes.trendmicro.eu.
>> This
>> > might be useful for reaching "hostmas...@cmc.iq" should the zone expire
>> > in the meantime.  IANA lists a technical contact of "it...@cmc.iq":
>> > 
>>
>> The ISC SNS service was actually due to be shut down on January 31st but
>> there's been a few malingerers, including .iq
>>
>> We've been trying to reach them for *months* via many different comms
>> channels, to no avail.
>>
>
> Well, perhaps this will finally get someone’s attention then...
>
> Sorry for the snark, but I’d previously spent many many hours trying to
> reach iq admins before giving up in disgust...
>

I’d like to apologize for this mail — it was sent in haste and
unnecessarily snarky.

My previous frustration was more than 10 years ago; that’s a really long
time back, and things (and the people working there) have likely changed
since.

Please accept my apologies (both the iq admins, and the list) - it was
uncalled for, and not helpful...

W




> W
>
>
>
>> However this potential failure of all listed NS servers makes this
>> somewhat more urgent.
>>
>> Ray
>>
>> ___
>> dns-operations mailing list
>> dns-operations@lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
> --
> I don't think the execution is relevant when it was obviously a bad idea
> in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair of
> pants.
>---maf
>
-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Disclosure of root zone TSIG keys

[Shane Kerr]

Duane,

I really appreciate this level of transparency, thank you.

This does make me think of a couple of questions.


First, I assume that the main goal of TSIG is to prevent modification of 
the zone file(s) in transit, more than preventing access. The root zone 
is public, right?


Since the goal is to prevent modification, I guess the root server 
operators could fetch PGP signatures from the Internic server and verify 
the zone today. Do you know if there is any documentation covering the 
operational practices of the root server operators in this regard?


In the future, adding message digests (draft-ietf-dnsop-dns-zone-digest) 
to the zones and having both that and the DNSSEC signatures verified by 
root server operators before accepting a new version of the root zone 
would be a nice additional check. (Whoever thought of those digests 
seems really on-the-ball. )



Second, while it is nice that there are IP-based whitelists protecting 
zone transfers, are there any requirements for IP's on the whitelists to 
use RPKI or other routing protections? Even if there are no 
requirements, does Verisign check RPKI if the root server operators *do* 
sign their routes? We know that there is BGP hijacking in the wild 
today, so using and encouraging secured routing seems reasonable to me.



Thanks again for the transparency and keep up the good work! 

--
Shane
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations