Greetings all,
There's some light discussion on the as112-ops mailing list about
whether or not AS112 should start doing a further two things:
- start replying using IPv6 transport
- amass more delegations for network blocks, like those enumerated in
rfc5735.
Given that the other two
On Mon, 8 Mar 2010, Joe Abley wrote:
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be
paraphrased as follows:
- if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs over
the A and RRSets) which is a potential disadvantage
Is it? Is
At 9:38 AM -0500 3/8/10, Joe Abley wrote:
I also find Jim's point regarding NET rather compelling. If the NET zone is
not signed, then validating responses from a signed ROOT-SERVERS.NET zone
would require yet another trust anchor to be manually-configured.
...and to manually be removed in the
On Mar 8, 2010, at 7:27 AM, Paul Wouters wrote:
On Mon, 8 Mar 2010, Joe Abley wrote:
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think
be paraphrased as follows:
- if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs
over the A and
On Mon, 8 Mar 2010, Nicholas Weaver wrote:
If your ISP is acting as a MitM on DNS, its acting as a MitM on everything, so
DNSSEC buys you f-all if you are using it for A records, because any app using
that A record either doesn't trust the net or is trivially p0owned by the ISP.
If I detect
On Mon, 8 Mar 2010, Joe Abley wrote:
- signing ROOT-SERVERS.NET would result in potentially-harmful large
responses with no increase in security
Can't you deal with this by omitting the root-servers.net RRSIGs from the
additional section of responses to queries to the root?
Tony.
--
At Mon, 8 Mar 2010 09:27:20 -0500 (EST), William F. Maton Sotomayor wrote:
...
Given that the other two drafts on AS112 are already along the path
to getting considered beyond the WGLC, would it be prudent to
generate a third draft specific to these issues?
Nicely said.
This indeed again
On Mon, 8 Mar 2010, Alfred HÎnes wrote:
At Mon, 8 Mar 2010 09:27:20 -0500 (EST), William F. Maton Sotomayor wrote:
Given that the other two drafts on AS112 are already along the path
to getting considered beyond the WGLC, would it be prudent to
generate a third draft specific to these issues?
Joe Abley wrote:
On 2010-03-08, at 10:27, Paul Wouters wrote:
On Mon, 8 Mar 2010, Joe Abley wrote:
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be
paraphrased as follows:
- however, since the root zone is signed, validators can already tell when they
are
On Mar 8, 2010, at 9:31 AM, Thierry Moreau wrote:
Joe Abley wrote:
On 2010-03-08, at 10:27, Paul Wouters wrote:
On Mon, 8 Mar 2010, Joe Abley wrote:
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I
think be paraphrased as follows:
- however, since the root zone
- Original Message -
From: Joe Abley jab...@hopcount.ca
To: Tony Finch d...@dotat.at
Cc: George Barwood george.barw...@blueyonder.co.uk; dnsop@ietf.org
Sent: Monday, March 08, 2010 4:22 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
On 2010-03-08, at 11:18, Tony Finch
I apologize for waiting until the last minute to make updates.
Earlier versions of this draft have been discussed on-list and at the last
two IETF
meetings: draft-howard-isp-ip6rdns-03
Comments from the last meeting were as follows; I think I have responded to
all of them in the new
In message 43fc3f50679f458a869f99d72ecd1...@localhost, George Barwood write
s:
- Original Message -
From: Joe Abley jab...@hopcount.ca
To: Tony Finch d...@dotat.at
Cc: George Barwood george.barw...@blueyonder.co.uk; dnsop@ietf.org
Sent: Monday, March 08, 2010 4:22 PM
Subject:
Nicholas Weaver wrote:
DNSSEC is ONLY useful for things like TXT and CERT records fetched
by a DNSSEC aware cryptographic application, and that would
require a valid signature chain from the root(s) of trust
(either preconfigured or on a path from the signed root) validated
on the client, so
On 2010-03-08, at 17:08, George Barwood wrote:
It's interesting to note that currently
dig any . @a.root-servers.net +dnssec
truncates, leading to TCP fallback
but
dig any . @l.root-servers.net +dnssec
does not truncate ( response size is 1906 bytes ).
A runs BIND9, as far as I
15 matches
Mail list logo
