subject:"\[dns\-operations\] \[DNSSEC\] Venezuela ccTLD broken"

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

2023-07-20 Thread Mark Andrews

On a similar issue, why aren’t the root servers all implementing DNS COOKIES as 
it provides clients protection from spoofed referrals?

-- 
Mark Andrews

> On 21 Jul 2023, at 03:16, David Conrad  wrote:
> 
> Hi,
> 
>> On Jul 20, 2023, at 7:29 AM, Viktor Dukhovni  wrote:
>> Finally, for the RSAC (yes not the right forum to formally lodge the
>> question), should the root zone DS TTL still be 1 day?  Would a change
>> to one hour be acceptable (aligning with it with the practice of many
>> TLDs and aiding in more time recovery from mistakes)?
> 
> 
> Haven’t thought about the implications enough to comment on the idea, however 
> instead of RSSAC, this sounds to me like a question for RZERC to (eventually) 
> weigh in on. In the Byzantine world of ICANN, it would need to be brought to 
> RZERC by "any of [RZERC’s] members, PTI staff, or by the Customer Standing 
> Committee (CSC)”, many of which are on this mailing list.
> 
> Regards,
> -drc
> 
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations


signature.asc
Description: Binary data
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

2023-07-20 Thread David Conrad

Hi,

On Jul 20, 2023, at 7:29 AM, Viktor Dukhovni  wrote:
> Finally, for the RSAC (yes not the right forum to formally lodge the
> question), should the root zone DS TTL still be 1 day?  Would a change
> to one hour be acceptable (aligning with it with the practice of many
> TLDs and aiding in more time recovery from mistakes)?

Haven’t thought about the implications enough to comment on the idea, however 
instead of RSSAC, this sounds to me like a question for RZERC to (eventually) 
weigh in on. In the Byzantine world of ICANN, it would need to be brought to 
RZERC by "any of [RZERC’s] members, PTI staff, or by the Customer Standing 
Committee (CSC)”, many of which are on this mailing list.

Regards,
-drc

signature.asc
Description: Message signed with OpenPGP
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

2023-07-20 Thread Viktor Dukhovni

On Thu, Jul 20, 2023 at 07:25:17AM -0400, Hugo Salgado wrote:

> They are aware and working on this. Thanks!

The final working state is still somewhat suboptimal:

- The KSKs are 4096 bit RSA.  This is pointless, the DS RRset from
  the root is signed with a 2048-bit RSA key.  The additional bits
  are just packet size and computational bloat.

- The ZSK need not (and so in practice should not) also sign the DNSKEY
  RRset, just the KSK signatures are sufficient.

Finally, for the RSAC (yes not the right forum to formally lodge the
question), should the root zone DS TTL still be 1 day?  Would a change
to one hour be acceptable (aligning with it with the practice of many
TLDs and aiding in more time recovery from mistakes)?

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

2023-07-20 Thread Stephane Bortzmeyer

On Thu, Jul 20, 2023 at 07:25:17AM -0400,
 Hugo Salgado  wrote 
 a message of 148 lines which said:

> They are aware and working on this. Thanks!

It works now.

$ dig NS ve

; <<>> DiG 9.18.14 <<>> NS ve
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40942
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ve.IN  NS

;; ANSWER SECTION:
ve. 18000   IN  NS  ns3.nic.ve.
ve. 18000   IN  NS  ns4.nic.ve.
ve. 18000   IN  NS  a.lactld.org.
ve. 18000   IN  NS  ns5.nic.ve.
ve. 18000   IN  NS  ssdns-tld.nic.cl.
ve. 18000   IN  NS  ns6.nic.ve.

;; Query time: 780 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Thu Jul 20 12:54:31 UTC 2023
;; MSG SIZE  rcvd: 163


https://dnsviz.net/d/ve/ZLknmA/dnssec/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

2023-07-20 Thread Hugo Salgado

They are aware and working on this. Thanks!

Hugo


On July 20, 2023 3:40:06 AM GMT-04:00, Stephane Bortzmeyer  
wrote:
>On Thu, Jul 20, 2023 at 09:37:10AM +0200,
> Stephane Bortzmeyer  wrote 
> a message of 6 lines which said:
>
>> https://dnsviz.net/d/ve/ZLjinw/dnssec/
>> 
>> The DS goes to a key which does not sign (and there is no DS for the
>> key which is actually signing.)
>
>Any contact not in .ve to tell them? My email server uses a validating
>resolver :-(
>___
>dns-operations mailing list
>dns-operations@lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

2023-07-20 Thread Yasuhiro Orange Morishita / 森下泰宏

It looks like one of the USGBKR cases...
cf. https://lists.dns-oarc.net/pipermail/dns-operations/2014-March/011399.html

Before: https://dnsviz.net/d/ve/ZLZ8ng/dnssec/
After: https://dnsviz.net/d/ve/ZLjinw/dnssec/

-- Yasuhiro Orange Morishita

From: Stephane Bortzmeyer 
Subject: [dns-operations] [DNSSEC] Venezuela ccTLD broken
Date: Thu, 20 Jul 2023 09:37:10 +0200

> https://dnsviz.net/d/ve/ZLjinw/dnssec/
> 
> The DS goes to a key which does not sign (and there is no DS for the
> key which is actually signing.)
> 
> 
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

2023-07-20 Thread Stephane Bortzmeyer

On Thu, Jul 20, 2023 at 09:37:10AM +0200,
 Stephane Bortzmeyer  wrote 
 a message of 6 lines which said:

> https://dnsviz.net/d/ve/ZLjinw/dnssec/
> 
> The DS goes to a key which does not sign (and there is no DS for the
> key which is actually signing.)

Any contact not in .ve to tell them? My email server uses a validating
resolver :-(
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] [DNSSEC] Venezuela ccTLD broken

2023-07-20 Thread Stephane Bortzmeyer

https://dnsviz.net/d/ve/ZLjinw/dnssec/

The DS goes to a key which does not sign (and there is no DS for the
key which is actually signing.)


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

[dns-operations] [DNSSEC] Venezuela ccTLD broken

8 matches

Site Navigation

Mail list logo

Footer information