Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
In message 201302062107.r16l7f9b066...@calcite.rhyolite.com, Vernon Schryver All of that gets back to honesty being the best policy and letting other people fix their own stuff in their own time. And the more people that validate the bigger the peer presure will be to fix dnssec problems promptly. However to do that you need working whois services to be able to contact the administrators of the zone by other means. Gov's whois service is a joke. No contact information at all. Can't even list the main switchboards? Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
In message 201302070048.r170mosg004...@calcite.rhyolite.com, Vernon Schryver writes: My view is that if an outfit has so few other users that it doesn't hear when things breaks and doesn't care enough to monitor, then it's not worth my time to be a pest. By time I notice a problem with a non-trivial domain, those responsible will already be on the job and I would only an irritating user or luser. They will already have been alerted by their monitors as well as hordes of other lusers. In other words, when did you last alert strangers about lame delegations? When all the servers for the zone were lame. In the last week I complained about servers for a zone that were returning A records to queries. Those servers have since been fixed. Before that it was a zone with expired signatures a .com zone. Before that it was a zone with expired signatures for a TLD. On average I report something once a month. I don't go looking for problem but when I see them I report them. Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
Is there a way to exclude a domain from DNSSEC validation, like Unbound's domain-insecure? For example if a popular site ( say nasa.gov ) updates their keys incorrectly so that their domain fails validation, you contact their admins. and with a high level of confidence you determine this is a configuration mistake and not a security breach, you can then exclude them from DNSSEC validation so your customers can access their site while they fix their error. -- Augie Schwer-au...@schwer.us-http://schwer.us ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 2013-02-05 at 17:01 -0800, Augie Schwer wrote: Is there a way to exclude a domain from DNSSEC validation, like Unbound's domain-insecure? I have not tested this, but if you use RPZ to block the DS record for nasa.gov, that should turn it into an insecure zone. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlERvVsACgkQL6j7milTFsHTwwCfQ9uLJOAxBozthy3b9VHtu7rc j7sAnipnnL8GmL3VrGdg/Tiko0ZZ9/ih =xJ3x -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
On Apr 30 2012, Warren Kumari wrote: On Apr 26, 2012, at 2:51 PM, Jan-Piet Mens wrote: [...] From a Comcast talk at SATIN 2012 I believe they called that a negative trust anchor, and IIRC, the author wanted to publish a draft of its operation. Haven't seen it yet though, and it's probably off topic as regards BIND. http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01 Being actively discussed on DNSOP list It *was* being actively discussed there, up until about 10 days ago. Since then the participants seem to have stopped, maybe from sheer exhaustion, as it was pretty clear that there were irreconcilable opinions on the subject. It may be worth noting in the bind-users context that ISC's [quick check - what is he these days - ah yes...] Chairman Chief Scientist expressed fairly, well, negative opinions about negative trust anchors, which maybe does not bode well for them ever appearing in BIND. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
On 30/4/12 13:56 , Chris Thompson wrote: http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01 Being actively discussed on DNSOP list It *was* being actively discussed there, up until about 10 days ago. Since then the participants seem to have stopped, maybe from sheer exhaustion, as it was pretty clear that there were irreconcilable opinions on the subject. It may be worth noting in the bind-users context that ISC's [quick check - what is he these days - ah yes...] Chairman Chief Scientist expressed fairly, well, negative opinions about negative trust anchors, which maybe does not bode well for them ever appearing in BIND. Like lying resolvers or NXdomain redirection? And irrespectively of how much I disagree with these, this it not to say that one should never change his mind. Gilles ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
On Apr 26, 2012, at 2:51 PM, Jan-Piet Mens wrote: Augie, Is there a way to exclude a domain from DNSSEC validation, like Unbound's domain-insecure? That is regrettably not possible at the moment, at least not in BIND 9.9.0. The only (quite impracticable) workaround would be to define the zone authoritatively yourself and populate it somehow... (I did say impracticable, didn't I?) For example if a popular site ( say nasa.gov ) updates their keys incorrectly so that their domain fails validation, you contact their admins. and with a high level of confidence you determine this is a configuration mistake and not a security breach, you can then exclude them from DNSSEC validation so your customers can access their site while they fix their error. From a Comcast talk at SATIN 2012 I believe they called that a negative trust anchor, and IIRC, the author wanted to publish a draft of its operation. Haven't seen it yet though, and it's probably off topic as regards BIND. http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01 Being actively discussed on DNSOP list… W -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
Jan-Piet Mens jpmens@gmail.com wrote: From a Comcast talk at SATIN 2012 I believe they called that a negative trust anchor, and IIRC, the author wanted to publish a draft of its operation. http://tools.ietf.org/html/draft-livingood-negative-trust-anchors There has been a lot of discussion on the IETF dnsop working group mailing list: http://www.ietf.org/mail-archive/web/dnsop/current/threads.html Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ German Bight, Humber: Southwest 5 to 7, becoming variable 3 or 4, then northeast 4 or 5 later in Humber. Moderate or rough, becoming slight or moderate later. Occasional rain. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
Is there a way to exclude a domain from DNSSEC validation, like Unbound's domain-insecure? For example if a popular site ( say nasa.gov ) updates their keys incorrectly so that their domain fails validation, you contact their admins. and with a high level of confidence you determine this is a configuration mistake and not a security breach, you can then exclude them from DNSSEC validation so your customers can access their site while they fix their error. -- Augie Schwer - au...@schwer.us - http://schwer.us ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
Augie, Is there a way to exclude a domain from DNSSEC validation, like Unbound's domain-insecure? That is regrettably not possible at the moment, at least not in BIND 9.9.0. The only (quite impracticable) workaround would be to define the zone authoritatively yourself and populate it somehow... (I did say impracticable, didn't I?) For example if a popular site ( say nasa.gov ) updates their keys incorrectly so that their domain fails validation, you contact their admins. and with a high level of confidence you determine this is a configuration mistake and not a security breach, you can then exclude them from DNSSEC validation so your customers can access their site while they fix their error. From a Comcast talk at SATIN 2012 I believe they called that a negative trust anchor, and IIRC, the author wanted to publish a draft of its operation. Haven't seen it yet though, and it's probably off topic as regards BIND. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.
Great question (Augie) and great feedback (JP). As DNSSEC is adopted, some type of mitigation process will be welcomed. For that reason, I think this is on topic. From: Jan-Piet Mens jpmens@gmail.com To: bind-users@lists.isc.org Sent: Thursday, April 26, 2012 2:51 PM Subject: Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure. Augie, Is there a way to exclude a domain from DNSSEC validation, like Unbound's domain-insecure? That is regrettably not possible at the moment, at least not in BIND 9.9.0. The only (quite impracticable) workaround would be to define the zone authoritatively yourself and populate it somehow... (I did say impracticable, didn't I?) For example if a popular site ( say nasa.gov ) updates their keys incorrectly so that their domain fails validation, you contact their admins. and with a high level of confidence you determine this is a configuration mistake and not a security breach, you can then exclude them from DNSSEC validation so your customers can access their site while they fix their error. From a Comcast talk at SATIN 2012 I believe they called that a negative trust anchor, and IIRC, the author wanted to publish a draft of its operation. Haven't seen it yet though, and it's probably off topic as regards BIND. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users