Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706

2017-04-06 Thread Paul Vixie
On Friday, April 7, 2017 12:51:40 AM GMT David Conrad wrote: > Paul, > > On Apr 6, 2017, 2:24 PM -1000, Paul Vixie , wrote: > > the proviso is, RFC 7706 is also completely unsuitable for non-hardcore or > > non-experienced or non-protocol-geeks; > ... This strikes me as a bit

Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706

2017-04-06 Thread David Conrad
Paul, On Apr 6, 2017, 2:24 PM -1000, Paul Vixie , wrote: > the proviso is, RFC 7706 is also completely unsuitable for non-hardcore or > non-experienced or non-protocol-geeks; 7706 doesn't recommend editing someone else's zone file, re-signing it, and figuring out how to

Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706

2017-04-06 Thread Paul Vixie
On Thursday, April 6, 2017 11:53:25 PM GMT David Conrad wrote: > On Apr 6, 2017, 2:32 AM -1000, Paul Vixie , wrote: > > if you want to run yeti-style, there are some perl scripts that will > > fetch and verify the root zone, edit the apex NS and DNSKEY RRsets, > > re-sign with

Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706

2017-04-06 Thread David Conrad
On Apr 6, 2017, 2:32 AM -1000, Paul Vixie , wrote: > if you want to run yeti-style, there are some perl scripts that will > fetch and verify the root zone, edit the apex NS and DNSKEY RRsets, > re-sign with your local key, and give you a zone you can run on several > servers

Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-00.txt

2017-04-06 Thread Wes Hardaker
Bob Harold writes: > This one still needs to be fixed: Thanks Bob. That was a straight copy; I hope to do a new version immediately and will certainly make that change. -- Wes Hardaker USC/ISI ___ DNSOP mailing list

Re: [DNSOP] The DNSOP WG has placed draft-kristoff-dnsop-dns-tcp-requirements in state "Candidate for WG Adoption"

2017-04-06 Thread Bob Harold
On Tue, Mar 28, 2017 at 4:34 PM, IETF Secretariat < ietf-secretariat-re...@ietf.org> wrote: > > The DNSOP WG has placed draft-kristoff-dnsop-dns-tcp-requirements in > state > Candidate for WG Adoption (entered by Tim Wicinski) > > The document is available at >

Re: [DNSOP] New terminology for root name service

2017-04-06 Thread Dan York
On Apr 6, 2017, at 11:25 AM, Matthew Pounsett > wrote: On 15 March 2017 at 13:31, Paul Hoffman > wrote: Greetings again. RSSAC has published a lexicon of terms that are commonly used with

Re: [DNSOP] New terminology for root name service

2017-04-06 Thread Matthew Pounsett
On 15 March 2017 at 13:31, Paul Hoffman wrote: > Greetings again. RSSAC has published a lexicon of terms that are commonly > used with respect to the root of the public DNS, but are not in RFC 7719. I > have opened an issue for the terminology-bis document at >

Re: [DNSOP] New Version Notification for draft-muks-dnsop-dnssec-sha3-00.txt

2017-04-06 Thread Tony Finch
Jelte Jansen wrote: > > We can certainly discuss alternative schemes, RSASSA-PSS is a potential > alternative, which I understand is considered (much?) better. It has a > big drawback though, in that it requires salt, which can be a big issue > for large deployments. As I

Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706

2017-04-06 Thread Paul Vixie
Bjørn Mork wrote: > Tony Finch writes: ... >> You might be able to work around the problem by adding a >> match-recursion-only option to the recursive view, and adding a >> non-recursive view that has allow-query-cache, and use attach-cache >> so all views share the same cache. I

Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706

2017-04-06 Thread Tony Finch
Bjørn Mork wrote: > > Recently I noticed a side effect of this configuration which I consider > unwanted and unexpected: It changes how BIND replies to requests without > the RD bit set. BIND will normally answer such requests with a "best > possible redirection", using any

[DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706

2017-04-06 Thread Bjørn Mork
Hello, We are currently trying out the configuration recommended by RFC7706, serving a copy of the root zone on a loopback. We are using BIND 9.10 and our configuration is directly copied from the example in appendix B.1. Even down to the actual loopback address used, as we needed a dedicated

Re: [DNSOP] New Version Notification for draft-muks-dnsop-dnssec-sha3-00.txt

2017-04-06 Thread Jelte Jansen
On 2017-04-05 16:50, Mukund Sivaraman wrote: >> Also, it is weird that a draft that is about having a fallback if a hash >> algorithm becomes weakened uses the RSASSA-PKCS1-v1_5 signature scheme, >> given that PKCS1 1.5 is already known to be weakened. > > It was to allow simple addition of the