Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken
On a similar issue, why aren’t the root servers all implementing DNS COOKIES as it provides clients protection from spoofed referrals? -- Mark Andrews > On 21 Jul 2023, at 03:16, David Conrad wrote: > > Hi, > >> On Jul 20, 2023, at 7:29 AM, Viktor Dukhovni wrote: >> Finally, for the RSAC (yes not the right forum to formally lodge the >> question), should the root zone DS TTL still be 1 day? Would a change >> to one hour be acceptable (aligning with it with the practice of many >> TLDs and aiding in more time recovery from mistakes)? > > > Haven’t thought about the implications enough to comment on the idea, however > instead of RSSAC, this sounds to me like a question for RZERC to (eventually) > weigh in on. In the Byzantine world of ICANN, it would need to be brought to > RZERC by "any of [RZERC’s] members, PTI staff, or by the Customer Standing > Committee (CSC)”, many of which are on this mailing list. > > Regards, > -drc > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations signature.asc Description: Binary data ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken
Hi, On Jul 20, 2023, at 7:29 AM, Viktor Dukhovni wrote: > Finally, for the RSAC (yes not the right forum to formally lodge the > question), should the root zone DS TTL still be 1 day? Would a change > to one hour be acceptable (aligning with it with the practice of many > TLDs and aiding in more time recovery from mistakes)? Haven’t thought about the implications enough to comment on the idea, however instead of RSSAC, this sounds to me like a question for RZERC to (eventually) weigh in on. In the Byzantine world of ICANN, it would need to be brought to RZERC by "any of [RZERC’s] members, PTI staff, or by the Customer Standing Committee (CSC)”, many of which are on this mailing list. Regards, -drc signature.asc Description: Message signed with OpenPGP ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken
On Thu, Jul 20, 2023 at 07:25:17AM -0400, Hugo Salgado wrote: > They are aware and working on this. Thanks! The final working state is still somewhat suboptimal: - The KSKs are 4096 bit RSA. This is pointless, the DS RRset from the root is signed with a 2048-bit RSA key. The additional bits are just packet size and computational bloat. - The ZSK need not (and so in practice should not) also sign the DNSKEY RRset, just the KSK signatures are sufficient. Finally, for the RSAC (yes not the right forum to formally lodge the question), should the root zone DS TTL still be 1 day? Would a change to one hour be acceptable (aligning with it with the practice of many TLDs and aiding in more time recovery from mistakes)? -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken
On Thu, Jul 20, 2023 at 07:25:17AM -0400, Hugo Salgado wrote a message of 148 lines which said: > They are aware and working on this. Thanks! It works now. $ dig NS ve ; <<>> DiG 9.18.14 <<>> NS ve ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40942 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;ve.IN NS ;; ANSWER SECTION: ve. 18000 IN NS ns3.nic.ve. ve. 18000 IN NS ns4.nic.ve. ve. 18000 IN NS a.lactld.org. ve. 18000 IN NS ns5.nic.ve. ve. 18000 IN NS ssdns-tld.nic.cl. ve. 18000 IN NS ns6.nic.ve. ;; Query time: 780 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Thu Jul 20 12:54:31 UTC 2023 ;; MSG SIZE rcvd: 163 https://dnsviz.net/d/ve/ZLknmA/dnssec/ ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken
They are aware and working on this. Thanks! Hugo On July 20, 2023 3:40:06 AM GMT-04:00, Stephane Bortzmeyer wrote: >On Thu, Jul 20, 2023 at 09:37:10AM +0200, > Stephane Bortzmeyer wrote > a message of 6 lines which said: > >> https://dnsviz.net/d/ve/ZLjinw/dnssec/ >> >> The DS goes to a key which does not sign (and there is no DS for the >> key which is actually signing.) > >Any contact not in .ve to tell them? My email server uses a validating >resolver :-( >___ >dns-operations mailing list >dns-operations@lists.dns-oarc.net >https://lists.dns-oarc.net/mailman/listinfo/dns-operations ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken
It looks like one of the USGBKR cases... cf. https://lists.dns-oarc.net/pipermail/dns-operations/2014-March/011399.html Before: https://dnsviz.net/d/ve/ZLZ8ng/dnssec/ After: https://dnsviz.net/d/ve/ZLjinw/dnssec/ -- Yasuhiro Orange Morishita From: Stephane Bortzmeyer Subject: [dns-operations] [DNSSEC] Venezuela ccTLD broken Date: Thu, 20 Jul 2023 09:37:10 +0200 > https://dnsviz.net/d/ve/ZLjinw/dnssec/ > > The DS goes to a key which does not sign (and there is no DS for the > key which is actually signing.) > > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken
On Thu, Jul 20, 2023 at 09:37:10AM +0200, Stephane Bortzmeyer wrote a message of 6 lines which said: > https://dnsviz.net/d/ve/ZLjinw/dnssec/ > > The DS goes to a key which does not sign (and there is no DS for the > key which is actually signing.) Any contact not in .ve to tell them? My email server uses a validating resolver :-( ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] [DNSSEC] Venezuela ccTLD broken
https://dnsviz.net/d/ve/ZLjinw/dnssec/ The DS goes to a key which does not sign (and there is no DS for the key which is actually signing.) ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations