t
draft-ietf-eppext-keyrelay should ignore the IPR claim. RFC6781 was already a
DNSOP document before the IPR claim was submitted.
- --
Antoin Verschuren
Tweevoren 6, 5672 SB Nuenen, NL
M: +31 6 37682392
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
it would be wise to jointly address both the Informational
concept description and provisioning solution and if members of DNSOPS have any
input to the IPR discussion on the REGEXT mailinglist, I would invite them to
contribute.
- --
Antoin Verschuren
Tweevoren 6, 5672 SB Nuenen, NL
M: +31 6 37682392
etermine the maximum quality of the DNS.
Perhaps a personal question to you: What score would you like the .de domain
(not zone!) to have? And why? What would you do if they only scored 40% ?
- --
Antoin Verschuren
Tweevoren 6, 5672 SB Nuenen, NL
M: +31 6 37682392
signature.asc
Description:
emonitor (in dutch,
google translate is your friend)
- --
Antoin Verschuren
Tweevoren 6, 5672 SB Nuenen, NL
M: +31 6 37682392
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
DNSOP mailing list
DNSOP@ietf.org
https://ww
latency by introducing
anycast is it's secondary goal.
For other services, goals may be different.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 M: +31 6 23368970
Mailto: antoin.verschu...@sidn.nl
XMPP: antoin.verschu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Op 02-09-14 om 09:31 schreef Andrew Sullivan:
On Tue, Sep 02, 2014 at 09:28:15AM +0200, Antoin Verschuren wrote:
Reducing latency, or better, not increasing latency by introducing
anycast is it's secondary goal.
For a number of customers
on feedback I got from registrars.
So I think the wording on detecting/pushing/polling are not clear and
unbiased enough, I just did't have time to send text.
I hope someone with more time during Easter agrees.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802
once the
parent has published it, and this is how to do that safely.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 M: +31 6 23368970
Mailto: antoin.verschu...@sidn.nl
XMPP: antoin.verschu...@jabber.sidn.nl
HTTP
- -.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 M: +31 6 23368970
Mailto: antoin.verschu...@sidn.nl
XMPP: antoin.verschu...@jabber.sidn.nl
HTTP://www.sidn.nl/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU
as a parent not to accommodate that use
case in our tree unless someone convinces us there's a legitimate
other use case that cannot live with those rules.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 M: +31 6
it, and this is how to do that safely.
So I'm ok if they stay in, but we need a way to get them out for the
ones that need that.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 M: +31 6 23368970
Mailto: antoin.verschu...@sidn.nl
that the child may be in trouble when I change my policy in accepting
CDS in the future. But that's the price the child pays for violating
the protocol. I don't see any use case or excuse for the CDNSKEY and
CDS not matching -if- they are both in the zone.
- --
Antoin Verschuren
Technical Policy
. Maybe
that same name scheme is used in other protocols as well, but that
does not make a name a domain name.
I don't considder these other names with dots in them inferior, but
they are simply not domain names.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802
records, but also between CDS
records and epp commands. If different registries implement
different policies here, the world might risk being much messier
than what we want.
Exactly my statement.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem
draft-hardaker-dnsop-csync-00.txt better, as
it tries to solve the more general case of sending technical
delegation data from child to parent, whether it is NS, DS, DNSKEY, or
any other records we might need in the future to maintain a delegation.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 M: +31 6 23368970
Mailto: antoin.verschu...@sidn.nl
XMPP: antoin.verschu...@jabber.sidn.nl
HTTP://www.sidn.nl/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU
, it will hit the parent harder than when it did
not implement HAMMER, and probably create more DNS traffic than
without HAMMER.
I feel this needs to be clarified in the draft.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31
?
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl
http://www.sidn.nl/
___
DNSOP
?
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 M: +31 6 23368970
Mailto: antoin.verschu...@sidn.nl
XMPP: antoin.verschu...@jabber.sidn.nl
HTTP://www.sidn.nl/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux
, so there's no real world experience with most of the
registries that now only accept DS. Sending a key format for a DNS
operator change, and a DS format for a delegation request makes matters
complex for the child operators. That's why we accept key format for all.
- --
Antoin Verschuren
12345 8 2 ... . .
in our zone, as we know you cannot use our chain of trust from the
root anyway if you don't support that algorithm.
Our zone is not the start of any chain of trust, so you have to be
able to use the DS we have chosen in the root for our zone to validate.
- --
Antoin Verschuren
is tested and
considered deployed in the policy area the parent wants to serve, I'm
sure they will use it.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 M: +31 6 23368970
Mailto: antoin.verschu...@sidn.nl
XMPP
, we should have started with DNSKEY right away.
Other processes need DNSKEY (Secure DNS operator transfers f.e.).
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 M: +31 6 23368970
Mailto: antoin.verschu...@sidn.nl
is to get the key from the gaining dns
operator delivered to the current operator so that it becomes a second
chain of trust after it is inserted in the current delegated zone.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26
over those records with
the ZSK of the other, so a double signature is impossible.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 M: +31 6 23368970
Mailto: antoin.verschu...@sidn.nl
XMPP: antoin.verschu
the document.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl
http://www.sidn.nl/
-BEGIN PGP SIGNATURE-
Version
patent
system as a matter of fact.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl
http://www.sidn.nl/
-BEGIN PGP
DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl
http
on purpose.
So somewhere in section 7 it should state not to use negative trust anchors for
domains that are intentionally insecure, though I wonder how this could be
signalled (in a secure way).
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem
by a negative trust anchor.
--
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl
http://www.sidn.nl/
signature.asc
Description
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Unfortunately I deleted the original email message so I lost the thread,
but I'd like to state I read version 07 of the 4641bis draft, and I can
live with the changes made to the document.
I have no further comments.
See you in Quebec,
- --
Antoin
). This may change 4641bis again...
hope to have discussions next week
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant
. But it is still
a step in the right direction to try to define how the RR should look like.
The definition of the signaling can actually be defined later.
Agree, that is a next step.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P
domains between dns-operators.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl
http://www.sidn.nl/
-BEGIN
. That's the only advise we can give.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl
http://www.sidn.nl
rollover may be prefered over the
larger zone file.
And again, if the rollover includes a change of DNS operator, Double-DS
is the only way to go if you want to stay secure.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P
is with double-DS
Child A can only generate RRSIG_K_A(DNSKEY)
and child B can only generate RRSIG_K_B(DNSKEY)
Both DS_A and DS_B need to be at the parrent for the rollover.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500
to exchange.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl
http://www.sidn.nl/
-BEGIN PGP SIGNATURE
by the KSK only.
All RRSIG_Z_*(DNSKEY) can be removed.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl
http
with a Single Type
signing scheme.
Same as above.
A Double-DS rollover is the only rollover mechanism you can use during a
secure dns operator change. Even with a Single Type signing scheme.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem
Op vrijdag 15-10-2010 om 10:46 uur [tijdzone +0200], schreef Fredrik
Ljunggren:
On 2010-10-14, at 18:08, Antoin Verschuren wrote:
The dns-operator is needed for a number of registry processes where a
change of dns-operator for the authoritative nameservers for a child
zone happen
in
such a bilateral contract with a dns-operator. What contractual
responsibilities he transfers when he does not control the zone himself.
-- Fredrik
On 2010-10-13, at 22:47, Antoin Verschuren wrote:
Op donderdag 30-09-2010 om 16:39 uur [tijdzone +0100], schreef Stephen
Morris:
The working
for DNSSEC maintenance.
My personal opinion is that we need to define an entity that can
add/remove/change DNSKEY RR's and can push the button to resign the zone, and
when he does, can communicate that to the parent zone through registrar,
registrant, registry or any combination of those.
--
Antoin
.
There is in fact more customers to be lost when you do it wrong, than can be
gained by doing it right.
Automate it. Over DNS.
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
we're not going to win on instable
technical solutions.
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl
http
.
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl
http://www.sidn.nl/
-BEGIN PGP SIGNATURE-
Version: 9.6.3
by the application.
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl
http://www.sidn.nl/
-BEGIN PGP SIGNATURE
will be available soon.
We will also announce to the RIPE dns and enum wg mailing lists when we
consider our trust anchors to be ready for production use.
We hope this contribution will help the adoption of DNSSEC to secure the
DNS.
Regards,
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg
the cached
DNSKEY, remove it from the cache and requery.
The only issue is indeed how often this should occur to prevent DOS.
Preferably only once per DNSKEY TTL, but how does a resolver keep track of
that..
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA
operator with his private key, and publish those RRsigs.
I would like best not to have complex procedures. So can we mandate
resolver/validation behavior ?
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26
in registration policy, or in a bilateral contract
between the registrant and the DNS operator when the registrant
outsources it's DNS operations for his zone.
Antoin Verschuren
Technical Policy Advisor
SIDN
Utrechtseweg 310
PO Box 5022
6802 EA Arnhem
The Netherlands
T +31 26 3525500
F +31 26
behaviour from what a resolver is
currently doing...
Is that a viable suggestion that needs to be written down somewhere ?
Antoin Verschuren
Technical Policy Advisor
SIDN
Utrechtseweg 310
PO Box 5022
6802 EA Arnhem
The Netherlands
T +31 26 3525500
F +31 26 3525505
M +31 6 23368970
E antoin.verschu
.
I believe that is what DNSSEC does.
Antoin Verschuren
Technical Policy Advisor
SIDN
Utrechtseweg 310
PO Box 5022
6802 EA Arnhem
The Netherlands
T +31 26 3525500
F +31 26 3525505
M +31 6 23368970
E [EMAIL PROTECTED]
W http://www.sidn.nl/
___
DNSOP
, but at least they consulted the IETF DNSOP WG, and not insulted them.
It's for the layer 9 issue, not for the bad code.
Antoin Verschuren
Technical Policy Advisor
SIDN
Utrechtseweg 310
PO Box 5022
6802 EA Arnhem
The Netherlands
T +31 26 3525500
F +31 26 3525505
M +31 6 23368970
E [EMAIL PROTECTED]
W http
or the DNS ?
Antoin Verschuren
Technical Policy Advisor
SIDN
Utrechtseweg 310
PO Box 5022
6802 EA Arnhem
The Netherlands
T +31 26 3525500
F +31 26 3525505
M +31 6 23368970
E [EMAIL PROTECTED]
W http://www.sidn.nl/
___
DNSOP mailing list
DNSOP@ietf.org
https
which doesn't say anything anymore about
localhost entries, so no encouragement nor disencouragement.
I think that if localhost entries in zones should be discouraged, it
should come from the consensus of this WG.
Antoin Verschuren
Technical Policy Advisor
SIDN
Utrechtseweg 310
PO Box 5022
6802 EA
.
The only one that can change the delegation of example.nl is that zone's owner.
Other ***.example.nl hosts which are not in the NS set of example.nl do not
need glue.
Only if example.nl changes it's delegation, and a new ***.example.nl is added
to the NS set, we ask for the IP and add glue.
Antoin
57 matches
Mail list logo