--- Begin Message ---
Viktor Dukhovni wrote:-
>I do hope that, as a community, we'll continue to steadily streamline
>acceptable NSEC3 parameters (per RFC9276) down to 0 additional
>iterations and short enough salt values (that don't result in additional
>SHA-1 input blocks).
What would be the
--- Begin Message ---
Randy Bush wrote:-
>it occurred to me that it migh tme wise to have a rancid like
>(https://shrubbery.net/rancid/) equivalent for critical domains.
>i.e. to git record changes and warn of radical diffs.
>
>is there any foss tooling in this space?
For the recording, I do
--- Begin Message ---
Our systems use some RIPE Atlas anchors for general connectivity
monitoring. Just now, they all failed.
If looks as if DNSSEC has expired:-
https://dnsviz.net/d/anchors.atlas.ripe.net/dnssec/
It also looks as if other things in ripe.net may also have expired (eg
--- Begin Message ---
Dave Knight wrote:-
>> all you can validate is the NS set. The host records cannot be validated
>> because root-servers.net is not signed.
>
>Good point!
>
>They're still used to replace what was provided in the root.hints after the
>priming response is received though.
Aside from today's outage, the DNS for mail.protetion.office.com seems to
have been very poor for a long time. As an example from 2020, Brian Somers
lamented its state:-
https://lists.dns-oarc.net/pipermail/dns-operations/2020-April/020124.html
The scale of the general problem (after this fault
Sue Steffen:-
>We have created numerous subzones and delegated them to AWS private hosted
>zones for our move to the cloud efforts. This has resulted in a sprawl
>of subzones. Does anyone else have thoughts on how to manage the number of
>zones? How do you maintain currency on them like
Vladimír ?unát wrote:-
>Are you sure that you used the latest version? (5.4.4, a month old)
>Bug details: https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1237
Thanks. Embarrassingly I was running 5.4.2, and an upgrade to 5.4.4 has
(obviously!) fixed the issue in Knot Resolver.
Out of
Having tried to access AWS's console today (for the first time in a while),
an NXDOMAIN (using Knot Resolver) was returned for
eu-west-1.console.aws.amazon.com (to which AWS had redirected the browser).
Trying a lab of 4 validating caching resolvers, PowerDNS returned the
answer:-
>; <<>> DiG
At Mon, 17 Jan 2022 09:09:42 +0100, Alexander Mayrhofer
wrote:-
>> Yes, the non-signing KSK could be offline disaster recovery key. Theres
>> nothing wrong about having more keys in DS than used because the change
>> process for DS is more complicated than swapping the active key in the zone.
>
On Fri, 14 Jan 2022 13:25:35 +, Brett Carr
wrote:
>This is the expected state, this TLD is mid transition when this is complete
>the currently unused DS and DNSKEY will be used for signing. This is
>pre-publication of the new data.
Thanks for that inforation (and also to Ondrej & Viktor).
Having been looking at .law following what looks like a slightly
sub-optimal redelegation (now complete), I notice that Zonemaster is
reporting DNSSEC issues:-
https://www.zonemaster.fr/result/f9fcceaef969aea1
>DNSSEC ERROR The DNSKEY RRset is not signed by the DNSKEY with
>tag 16819 that the
I am wondering whether those more experienced with DNSSEC could cast their
eye on an issue, which is recurring monthly (seemingly at ZSK rollover).
https://dnsviz.net/d/itconsult-dns.info/YST9pA/dnssec/
which reported errors such as:-
>RRSIG itconsult-dns.info/NS alg 13, id 4992: With a TTL of
Testing on two separate (but similarly configured) Bind 9.11.22 servers, I
also get SERVFAIL. The logs show entries like:-
>10-Mar-2021 16:20:11.606 dnssec: info: validating _dmarc.prv.se/TXT: bad cache
>hit (_dmarc.prv.se/DS)
On a test machine running 9.11.8, and having cleared the cache
At Sat, 20 Feb 2021 11:48:54 + Simon Arlott wrote:-
>Can you recommend another registrar that supports DNSSEC?
I am in the processing of moving domains held at OpenSRS to EuroDNS
(www.eurodns.com) due to the low support which OpenSRS has for DNSSEC
particularly in European domains (.lu being
On Tue, 9 Feb 2021 13:19:02 -0500, Viktor Dukhovni wrote:-
>My Perl script (below) just checks that none of the RRSIGs are expiring
>too soon. If some RRset is not signed at all, that's not detected
>presently, but should be easy to add.
That is most useful - thank you!
My existing monitoring
On Tue, 9 Feb 2021 16:43:20 +, Duane Wessels wrote:-
>If you use Nagios or something compatible, there is this:
>
>http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html
>
>But it only checks one RR (default SOA) since it doesn't assume access to the
>whole
On Tue, 19 Jan 2021 08:37:09 -0500, Viktor Dukhovni wrote:-
>On Tue, Jan 19, 2021 at 09:24:09AM +0000, Matthew Richardson wrote:
>
>> At Mon, 18 Jan 2021 13:55:21 -0500, Viktor Dukhovni wrote:-
>>
>> >2. Changing the salt takes some care, so "nobo
At Mon, 18 Jan 2021 13:55:21 -0500, Viktor Dukhovni wrote:-
>2. Changing the salt takes some care, so "nobody" does it.
Any pointers to the "care" required when changing salt (or the iteration
count) would be appreciated. My searches reveal little information. In
particular, what timing
DNSvis has recorded two entries for hoevelmann.ag. Whilst the latest one
looks OK, the previous one:-
https://dnsviz.net/d/hoevelmann.ag/X8DXeQ/dnssec/
is showing an amount of bogusness.
This previous one may be a clue...
Best wishes,
Matthew
--
>From: Thomas Mieslinger
>To:
Dear Stephane,
Whilst I have not got an answer, I have managed to get an example of a
failure using Cloudflare:-
>; <<>> DiG 9.11.19 <<>> @1.1.1.1 banquepopulaire.fr ns
>; (1 server found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41975
>;;
Thanks - I had also missed the subtelty that monitor.itconsult.net shared
servers with itconsult.net.
For testing, I have setup testmon.itconsult.net which is delegated in the
same way (ie insecure) as mtgmon.itconsult.net. However, I get the same
results, namely NOERROR for mtgmon and NXDOMAIN
yer
>To: Matthew Richardson
>Cc: dns-operati...@dns-oarc.net
>Date: Fri, 3 Apr 2020 14:18:45 +0200
>Subject: Re: NXDOMAIN vs NOERROR/no answers for non-existant records
>On Fri, Apr 03, 2020 at 12:31:38PM +0100,
> Matthew Richardson wrote
> a message of 75 line
I am observing responses from particular authoratitive servers for
non-existant domains, which is puzzling me. I thought I understood this
topic, but am now having doubts...
Consider two (real) non-existant records (which are not empty non-terminals
- there is nothing below them):-
Looking at the whois for that domain, it is showing:-
>Updated Date: 2020-02-02T14:44:44Z
which suggests that something was changed 4 days ago...
Best wishes,
Matthew
--
>From: Jim Reid
>To: pirawa...@ku.th
>Cc: dns-operations@lists.dns-oarc.net
>Date: Thu, 6 Feb 2020 16:43:59 +
24 matches
Mail list logo