its hard to distinguish an implementation error and a DNS protocol error, so
yes, it might
be a very good idea to triage your failures properly.
/bill
On Sat, Oct 26, 2013 at 01:28:10AM +0200, Hosnieh Rafiee wrote:
Hi Bill,
Thanks for your message.
are your new collection, DNS
are your new collection, DNS vulnerabilities, configuration mistakes, or
implementation faults?
/bill
On Sat, Oct 26, 2013 at 01:16:29AM +0200, Hosnieh Rafiee wrote:
Hello,
I have gathered some vulnerabilities in the current DNS security approaches
such as DNSSEC and etc. We think it
On Sat, Oct 26, 2013 at 01:11:26PM +0100, Jim Reid wrote:
On 26 Oct 2013, at 12:59, Masataka Ohta mo...@necom830.hpcl.titech.ac.jp
wrote:
a serious vulnerability of, so called, DNSSEC is lack of secure time.
some security novices innocently believed GPS time were automagically
secure.
On Mon, Feb 13, 2012 at 09:33:05AM +0100, Stephane Bortzmeyer wrote:
On Mon, Feb 06, 2012 at 07:12:56PM +,
bmann...@vacation.karoshi.com bmann...@vacation.karoshi.com wrote
a message of 49 lines which said:
A New Internet-Draft is available from the on-line Internet-Drafts
On Thu, Feb 09, 2012 at 01:17:52PM -0800, Joe Abley wrote:
Hi Bill,
On 2012-02-06, at 14:12, bmann...@vacation.karoshi.com
bmann...@vacation.karoshi.com wrote:
Thanks to Warren, Ed, John D., David C. and Kato-san for their
comments/corrections.
Any more?
I see you added some
Hello Paul.
First off, this is an RSSAC document so it is not clear why you think someone
from the root
opserator community should do the copy editing.
The paragraph at the end of section 1 (the isn't really 2119 language text)
is quite cute and will cause you a world of pain and delay.
On Mon, Feb 06, 2012 at 05:52:12PM -0500, Paul Hoffman wrote:
On Feb 6, 2012, at 5:19 PM, bmann...@vacation.karoshi.com wrote:
First off, this is an RSSAC document so it is not clear why you think
someone from the root
opserator community should do the copy editing.
There is a
will fold them in, thanks.
/bill
On Sun, Feb 05, 2012 at 11:34:06AM -0500, Warren Kumari wrote:
Nits and notes:
Abstract:
O: The DNS is considered a crucial part of that technical infrastrcuture.
P: The DNS is considered a crucial part of that technical infrastructure.
C:
thanks! will fold in accordingly.
/bill
On Sun, Feb 05, 2012 at 07:40:49PM -0800, David Conrad wrote:
Bill,
Comments/nits/etc.
Regards,
-drc
Last sentence of Abstract:
... zones may also find it useful.
Might suggest ... zones may also find this document useful.
---
thanks. will fold in your comments.
/bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
The Root Server System Advisory Committee of ICANN has been working on a
revision to RFC 2870.
It is currently posted as:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : Root Name Server Operational Requirements
On Thu, Jul 28, 2011 at 02:11:41PM -0400, Warren Kumari wrote:
On Jul 27, 2011, at 10:08 PM, William F. Maton Sotomayor wrote:
On Tue, 26 Jul 2011, George Michaelson wrote:
I would support this latter approach William: I think we should seek WG
adoption of three drafts
1) the
On Mon, Nov 22, 2010 at 09:58:02PM +, Paul Vixie wrote:
Date: Mon, 22 Nov 2010 20:36:17 +
From: bmann...@vacation.karoshi.com
we tried this a couple time last decade with limited success. (pre
SRV). it would work, if and only if there were general agreement by
the zone
On Mon, Oct 04, 2010 at 11:14:20AM -0400, Joe Abley wrote:
On 2010-10-04, at 11:11, Eric Rescorla wrote:
Carefully specified, perhaps, but what you're saying here also makes me
think it was
also incorrectly specified, since, as I said, the technique I described is
well-known,
On Thu, Jul 08, 2010 at 11:39:33AM +0200, Olaf Kolkman wrote:
I observe though that 4641 is mainly written from the perspective of a
'zone-owner' and that I am not quite sure where to give specific advice to
administrators of recursive nameservers.
So before text is drafted there is an
thanks for this. :)
--bill
On Tue, Jun 29, 2010 at 03:19:54PM +0200, Matthijs Mekking wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
FYI,
I have submitted this draft on the topic of automatic update of DS (and
other records).
Best regards,
Matthijs Mekking
NLnet Labs
On Thu, Jun 17, 2010 at 01:15:06PM +0200, Peter Koch wrote:
(2) is covered in the IANA considerations section but while that section
refers to a formal policy it does not offer guidance for review.
We should capture the considerations from the most recent as well as
previous
On Mon, Jun 14, 2010 at 07:51:14PM -0700, Paul Hoffman wrote:
At 12:12 PM +1000 6/15/10, Mark Andrews wrote:
In message p06240867c8385b270...@[10.20.30.158], Paul Hoffman writes:
At 4:23 PM -0400 6/11/10, Derek Diget wrote:
Raising hand timidly
In this group!? :-)
Instead of
On Tue, Jun 08, 2010 at 02:52:01PM +1000, Mark Andrews wrote:
The zones are consistant with RFC5735 and with operational practice.
So the question - how common do we expect /32 delegations to become in
futur
e?
From IN-ADDR.ARPA or from some other zone to handle /25-/32 sized
as the admin for ip6.int. the IPv6 wg declared that ip6.int
should be terminated on 6/6/06 - along with the 6bone. David
Conrad removed the delegation shortly there after, even though
there are still resolvers which look for that delegation instead
of the ip6.arpa zone - which functions as
On Wed, Mar 31, 2010 at 11:26:53PM -0700, Christopher Morrow wrote:
On Wed, Mar 31, 2010 at 1:55 PM, Dan Wing dw...@cisco.com wrote:
But Remi's point is that those same systems (running Windows XP
and IE6) using 6rd will be denied the ability to access content
via IPv6. Which removes an
- Forwarded message from Fred Baker f...@cisco.com -
This is a structured question for the community.
Jari Arkko tells us that he is getting requests from various sources to take
RFC 5006 to Proposed Standard. It is now experimental.
http://www.ietf.org/rfc/rfc5006.txt
5006 IPv6 Router
On Thu, Mar 04, 2010 at 08:11:13AM -0500, Edward Lewis wrote:
At 4:30 + 3/4/10, bmann...@vacation.karoshi.com wrote:
I'd like to suggest monday - 1500-1700
We can talk then, but the wheels were in motion to put it on
Wednesday. The reason for that was the crowd coming for the
On Tue, Mar 02, 2010 at 10:04:46AM +0100, Wolfgang Nagele wrote:
Hi,
granted that this discussion is important and folks
interested in this might be at the IETF77, could we
either have a bof (formal) or a small lunch mtg
during the week of IETF77?
I'd be glad
On Tue, Mar 02, 2010 at 08:05:38PM +, Alex Bligh wrote:
Ed,
--On 2 March 2010 14:39:45 -0500 Edward Lewis ed.le...@neustar.biz wrote:
Telling someone one to change the name server from ns1.example.tld. to
newdns.example. or 127.0.10.2 to 192.0.2.3 is easier than saying
change
On Wed, Mar 03, 2010 at 01:40:53PM +1300, Jay Daley wrote:
there is a problem w/ cut/paste ... surely we could do better than that?
I'm sure we could and an automated update of DS records is a good idea. But
my point is that in the absence of a similar automated mechanism for NS
On Tue, Feb 23, 2010 at 07:09:12AM -0800, Todd Glassey wrote:
As I have said, there is no difference between this and the Jim Crow
actions which separated blacks from the white population in then US and
the application of the concept of racially unfit parties as Trolls
within the IETF,
thanks paul.
That might be draft-hoffman-dnssec-ecdsa. I let it expire earlier this month
because the DNSEXT WG is still not clear on the allowable statuses for crypto
documents, but have today revived it based on your comment.
If you don't consider this to be a good draft, I
On Wed, Jan 13, 2010 at 09:53:16PM +, Jim Reid wrote:
On 13 Jan 2010, at 21:35, Alex Bligh wrote:
You've eliminated TCP fallback for non-DNSSEC supporting clients.
So add that to the list:
[6] TCP (no EDNS0) if [5] fails.
dnssec is just the first extention to reliably
On Wed, Nov 04, 2009 at 11:09:53AM -0800, Nicholas Weaver wrote:
Question: Have people been able to estimate how large the signed root
zone response will be?
I'm assuming its below the magic 1500B level for standard queries. Is
this correct?
Oh, and one thing to watch out for: Some
cool eh? although I suspect she ment responses.
--bill
On Wed, Nov 04, 2009 at 07:58:41PM +0100, Alfred Hvnes wrote:
Interesting News!
There must be a hidden trick to introduce DNS Jumbograms we just
forgot to mention
In a press article [1] entitled
Root zone
On Wed, Oct 21, 2009 at 08:32:49AM +0100, ray.bel...@nominet.org.uk wrote:
Mark, I din't think this is true given how the proposed protocol
works. For a start, you often cannot fetch the DNSKEY RR for ARPA
before running the protocol.
Indeed LOCAL.ARPA would need to be unsigned. That
On Tue, Oct 20, 2009 at 07:38:19PM -0400, Joe Abley wrote:
On 2009-10-20, at 19:29, Mark Andrews wrote:
ARPA will soon be signed, so I don't think this is much to worry
about. If the powers that be finally agree to make NXDOMAIN/NODATA
synthesis the default in the upcoming minor DNSSEC
http://www.icann.org/en/committees/dns-root/root-scaling-study-report-31aug09-en.pdf
--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
a few of us actually did a little work in this area three or four years
ago - did working proof of concepts - and were promptly ignored.
(the claim was - this work was premature)
--bill
On Tue, Sep 08, 2009 at 01:23:51PM -0400, Edward Lewis wrote:
At 13:13 -0400 9/8/09, Paul Wouters wrote:
On Tue, May 19, 2009 at 02:38:01PM +0100, John Dickinson wrote:
Sz sez...
Please don't change this. Making finer distinctions in one document,
clearly defined, is one thing. But please don't try to change
terminology we're finally starting to get people to use; it's been
(and continues to
On Tue, May 12, 2009 at 04:28:01PM -0400, Paul Wouters wrote:
On Tue, 12 May 2009, Olafur Gudmundsson wrote:
Section 3: Priming can occur when the validating resolver starts, but a
validating resolver SHOULD defer priming of individual trust anchors
until each is first needed for
On Thu, Apr 30, 2009 at 02:15:48PM +0800, madi wrote:
Hi, Stephane.
To give a countermeasure, the response from a recursive sever might as well
be cached in form of both plaintext and ciphertext which is generated by the
very recursive server. Thatbcursive server and authoritative
Yo Joe,
many moons back, it was pointed out to me by some cryto folks that
there is an
interesting relationship btwn key length and signature duration. One could
make the argument
that for persistent delegations, you might want to ensure longer length keys
and possibly
longer
On Thu, Apr 23, 2009 at 06:32:38PM +0800, i),h?* wrote:
Hi, folks.
As we all know, DNSSEC provides origin authentication and integrity assurance
services for DNS data exchanged between DNS resolver and name-sever, while
DNSSEC fails to give a means by which the DNS queries or responses
On Thu, Apr 23, 2009 at 12:52:37PM -0400, Edward Lewis wrote:
At 8:43 -0700 4/23/09, David Conrad wrote:
root servers). However the point is that you need to do the validation
someplace you can talk securely to. The easiest answer is to simply do the
validation on the same host.
I figure
On Fri, Apr 10, 2009 at 04:19:03PM -0400, Edward Lewis wrote:
At 13:04 -0700 4/10/09, SM wrote:
This message (
http://www.ops.ietf.org/lists/namedroppers/namedroppers.2005/msg00944.html
) and some other messages on the ietf-smtp mailing list could be
read as a lack of support for the
On Tue, Mar 10, 2009 at 10:27:21AM +0100, Stephane Bortzmeyer wrote:
On Mon, Mar 09, 2009 at 01:04:42PM -0400,
Andrew Sullivan a...@shinkuro.com wrote
a message of 59 lines which said:
John's view is that the original alphabetic restriction in 1123
was indeed intended as a restriction,
On Tue, Mar 10, 2009 at 08:35:40AM +1100, Mark Andrews wrote:
In message 200903091515.n29ffetp055...@stora.ogud.com, Olafur Gudmundsson
wri
tes:
--===0733757033==
Content-Type: multipart/alternative;
boundary==_777355448==.ALT
On Tue, Mar 10, 2009 at 12:55:51PM +1100, Mark Andrews wrote:
In message f7c89744-a1ca-4fd6-b793-2f4e337e3...@verisign.com, David Blacka
wr
ites:
On Mar 9, 2009, at 5:35 PM, Mark Andrews wrote:
On a related issue DS - DNSKEY translations cannot be
performed until the DNSKEY
does this mean my chances for ^B. are nil? :)
--bill
On Sat, Mar 07, 2009 at 12:07:01PM +0100, Patrik Fdltstrvm wrote:
On 6 mar 2009, at 21.54, Edward Lewis wrote:
And, from what I have heard, I believe display issues is at the
heart of the problem.
I'm sure Patrik is active in the
On Thu, Nov 20, 2008 at 12:14:45PM +0100, Florian Weimer wrote:
I came across the following in some IPv6-related draft and thought I'd
share it.
|3.1. Using DNS to Learn IPv6 Prefix and Length
|
| In order for an IPv6 host to determine if a NAT64 is present on its
| network, it sends
On Thu, Aug 28, 2008 at 12:04:15AM -0400, Brian Dickson wrote:
The DS may be provided by the operator of the subordinate zone, or built
by the parent operator,
most likely the latter.
thats an interesting premise.
why do you think this will be the case?
On Fri, Aug 29, 2008 at 10:23:53AM +1000, Mark Andrews wrote:
- The parent is already trusted with DNSSEC tools, since the parent is
signing the parent's zone (including the DS record!)
assuming facts not in evidence. there is active discussion
about having unsigned zones
http://publicsuffix/learn/ has more info (and I've just checked in
another update, which should be visible in the next day or so. There's a
human in the update loop).
Gerv
___
that URL does not resolve in the way you might
I'm going to ask this question here too.. are we talking about the DNS
or are we talking about an applications use of data published in the DNS?
i see this draft in the context of the historical DNS ... it is a mapping
service, a name to an address AND an address to a name. the mapping
On Wed, Dec 05, 2007 at 02:10:52AM +, Lican Huang wrote:
If SEARCH outside DNS were full power, then DNS would disappear soon. And
all DNS registrar companies would broken out.
perhaps you are right. at this point we don't have enough data.
What is the difference between
On Tue, Dec 04, 2007 at 04:27:06AM +, Lican Huang wrote:
When Ipv4 addresses will be Exhausted in the near future and the next
generation Intenert( Ipv6) will take over, DNS names will also be exhausted
soon with the increase of hosts and users. Lenny Foner has pointed
other
On Wed, Nov 28, 2007 at 08:15:51AM -0500, Joe Abley wrote:
On 27-Nov-2007, at 10:23, Paul Vixie wrote:
[EMAIL PROTECTED] (Warren Kumari) writes:
... What do people think about setting up a legal entity called RSTOA
that would then perform some very simple checks before handing out
a
On Wed, Nov 28, 2007 at 10:58:17AM -0500, Matt Larson wrote:
On Wed, 28 Nov 2007, Peter Koch wrote:
On Tue, Nov 27, 2007 at 02:35:29PM -0800, John Crain wrote:
Currently about 60% New IP to 40% old IP... and rising slowly
So clearly a lot of folks still need to up date their hints
On Wed, Nov 28, 2007 at 05:15:59PM +0100, bert hubert wrote:
On Wed, Nov 28, 2007 at 04:07:59PM +, [EMAIL PROTECTED] wrote:
and perhaps more interesting, the old address for B
showed a tapering off of traffic and then an INCREASE
last year. Old L and J got their numbers
On Wed, Nov 28, 2007 at 05:28:47PM +0100, bert hubert wrote:
On Wed, Nov 28, 2007 at 04:22:41PM +, [EMAIL PROTECTED] wrote:
The increase in traffic might easily be due to more favourable
connectivity
to 'B', which would lead many resolver implementations to shift more
queries
On Tue, Nov 27, 2007 at 01:18:04PM -0500, Edward Lewis wrote:
At 5:59 PM + 11/27/07, [EMAIL PROTECTED] wrote:
so WHO is the owner of that IP data, the zone admin
for example.org or the machine admin for ns1.example.org?
The zone admin for sure. It is the registration of the
On Tue, Nov 27, 2007 at 01:03:59PM -0800, David Conrad wrote:
Bill,
i have a zone, example.org and chose the following
nameservers:
moe.rice.edu
ns.isi.edu
PDC.example.org
as the admin of PDC.example.org, I know what IP addresses
are assigned and can change them on whim.
On Mon, Nov 26, 2007 at 01:26:00PM -0500, Warren Kumari wrote:
On Nov 26, 2007, at 11:48 AM, Joe Abley wrote:
I don't have strong feelings about whether the LOA in an RFC idea
is plausible, or even good, but I thought I'd throw it out anyway.
If there was consensus that such a
On Fri, Jun 08, 2007 at 02:57:35PM +1000, Mark Andrews wrote:
I also concur with the various protests against using . for the RNAME,
and would suggest instead nobody.localhost. along with a ref to
2606. That should be sufficiently clear to any human who looks at it,
and also meets the
On Thu, Jun 07, 2007 at 07:18:01AM -0400, Joe Abley wrote:
On 7-Jun-2007, at 01:20, Mark Andrews wrote:
Show me the xml. There should be a way to do a table.
t
list
t0.IN-ADDR.ARPA /* IPv4 THIS NETWORK
*//t
On Thu, Jun 07, 2007 at 10:24:41AM -0400, Andrew Sullivan wrote:
On Thu, Jun 07, 2007 at 10:20:33AM -0400, Thierry Moreau wrote:
OK, 0.02 worth of unsupported personal attacks against me. Out of topic.
Counter-productive. Not worth replying.
Perhaps the next time you think something is
On Sat, Feb 10, 2007 at 09:50:43PM +0100, Paul Wouters wrote:
On Sat, 10 Feb 2007, Pekka Savola wrote:
As Bert mentioned in the next message, the risk of outdated (and therefor
out-of-sync) roots is real.
I just compared the root zone as RedHat shipped it on Fri 07 Sep 2001,
with the
64 matches
Mail list logo