In message 1330508848.24108.140661042811...@webmail.messagingengine.com, nudge
writes:
A thought regarding the pros and cons of DNSSEC that I don't recall
being mentioned.
There are a whole set of things you can do once you have secure
DNS. You just have to use your imagination. This one
,
Marc Lampo
Security Officer
EURid (for .eu)
-Original Message-
From: michoski [mailto:micho...@cisco.com]
Sent: 24 February 2012 06:01 AM
To: vinny_abe...@dell.com; kob6...@gmail.com; ma...@isc.org
Cc: bind-us...@isc.org
Subject: Re: lists.isc.org rDNS failed, DNSSEC?
On 2/23/12 8:48 PM
On Tue, Feb 28, 2012 at 01:16:16PM +0100, Marc Lampo wrote:
Please allow a, partly/mostly, non-technical feedback
as security officer for a tld (.eu)
First of all : I do not deny DNSSEC adds a challenge for administrators.
They must understand that adding this additional SECurity aspect,
On 2/28/12 9:26 AM, /dev/rob0 r...@gmx.co.uk wrote:
On Tue, Feb 28, 2012 at 01:16:16PM +0100, Marc Lampo wrote:
First of all : I do not deny DNSSEC adds a challenge for administrators.
They must understand that adding this additional SECurity aspect,
will generate extra work
I suppose there are different classes of failures; unfortunately on
the resolver, there is only one result, SERVFAIL, to cover all. It
would be better if there was a way to distinguish the oops, admin
bungled DNSSEC errors from the ones which are more likely to be
indicative of spoofing.
In message cb725c9f.24ec1%micho...@cisco.com, michoski writes:
Doing DNSSEC verification in 2012 is lopsided the other way. You
cannot resolve the names you need sometimes. You're probably not
receiving any actual protection from spoofing.
I feel similarly. I do see risk in the non
On Tue, Feb 28, 2012 at 06:28:54PM +, Evan Hunt wrote:
the one that bites us most often is that of the expired RRSIG. If
we could log that but go ahead and accept the data, most of the
pain would stop.
BIND has this: dnssec-accept-expired yes; Note that it opens you
to replay
There was a issues with the delegation of some zones. NS records
were not added to the parent zone when they should have been but
the scripts which sign the zones added DS records which caused the
parent zone not to be resigned. The signatures for the parent zone
eventually expired which caused
On Thu, Feb 23, 2012 at 2:47 PM, Mark Andrews ma...@isc.org wrote:
There was a issues with the delegation of some zones. NS records
were not added to the parent zone when they should have been but
the scripts which sign the zones added DS records which caused the
parent zone not to be
: lists.isc.org rDNS failed, DNSSEC?
On Thu, Feb 23, 2012 at 2:47 PM, Mark Andrews ma...@isc.org wrote:
There was a issues with the delegation of some zones. NS records
were not added to the parent zone when they should have been but
the scripts which sign the zones added DS records which caused
On 2/23/12 8:48 PM, vinny_abe...@dell.com vinny_abe...@dell.com wrote:
I kind of had the same thought... If ISC had a DNS outage due to expired
signatures of a zone, what chance do I have in successfully deploying and
maintaining DNSSEC for my zones? Sure, everyone makes mistakes, but I think
On Thu, Feb 23, 2012 at 9:00 PM, michoski micho...@cisco.com wrote:
On 2/23/12 8:48 PM, vinny_abe...@dell.com vinny_abe...@dell.com wrote:
I kind of had the same thought... If ISC had a DNS outage due to expired
signatures of a zone, what chance do I have in successfully deploying and
12 matches
Mail list logo
