Re: [swinog] Alert for bluewin DNS admins
On Mon, 3 Aug 2009 14:37:03 +0200, said: > hi alexander >> ... >> I sent mail to hostmas...@bluewin.ch but I'm not sure whether >> that gets the proper attention. This is a serious issue for us. >> ... > thanks, i've forwarded the mail to the DNS guys from bluewin ,-) Thanks. >> BTW, is the #swinog IRC channel still alive somewhere after >> irc.swinog.ch went away? > actually, irc.swinog.ch is still alive - if you're peering over swissix or > get the swissix prefix. > if you're outside of the 'swissix-network' you can can use: > - irc.swissix.ch:6667 (within swissix peers) Cool, it only works over IPv6. Uncool: pidgin doesn't do IPv6. > - irc.subcult.ch:6667 This one works for me. > - irc.nazgul.ch:6667 > - irc.bytemine.net:6667 > -steven Thanks, Alex ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Alert for bluewin DNS admins
hi alexander > ... > I sent mail to hostmas...@bluewin.ch but I'm not sure whether > that gets the proper attention. This is a serious issue for us. > ... thanks, i've forwarded the mail to the DNS guys from bluewin ,-) > BTW, is the #swinog IRC channel still alive somewhere after > irc.swinog.ch went away? actually, irc.swinog.ch is still alive - if you're peering over swissix or get the swissix prefix. if you're outside of the 'swissix-network' you can can use: - irc.swissix.ch:6667 (within swissix peers) - irc.subcult.ch:6667 - irc.nazgul.ch:6667 - irc.bytemine.net:6667 -steven ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] Alert for bluewin DNS admins
It appears that the bluewin DNS caches are using an old key for verifying DNSSEC for the zone switch.ch, as can be seen by using the "cd" option of dig ; <<>> DiG 9.6.1-P1 <<>> @dns1.bluewin.ch. switch.ch. soa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 605 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;switch.ch. IN SOA ;; Query time: 40 msec ;; SERVER: 195.186.1.110#53(195.186.1.110) ;; WHEN: Mon Aug 3 14:17:55 2009 ;; MSG SIZE rcvd: 27 ; <<>> DiG 9.6.1-P1 <<>> @dns1.bluewin.ch. switch.ch. soa +cd ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 865 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;switch.ch. IN SOA ;; ANSWER SECTION: switch.ch. 86400 IN SOA scsnms.switch.ch. hostmaster.switch.ch. 2009080301 28800 7200 604800 180 ;; Query time: 4 msec ;; SERVER: 195.186.1.110#53(195.186.1.110) ;; WHEN: Mon Aug 3 14:17:56 2009 ;; MSG SIZE rcvd: 81 I sent mail to hostmas...@bluewin.ch but I'm not sure whether that gets the proper attention. This is a serious issue for us. To everybody: PLEASE don't configure DNSSEC trust anchors from untrusted sources (heck, that's why they are called trust anchors). That defeats the purpose of it and chances are that you will miss key-rollovers. BTW, is the #swinog IRC channel still alive somewhere after irc.swinog.ch went away? -- Alex ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
