On 16 May 2018 at 14:51, Viktor Dukhovni wrote:
>
>
>
> I can make a list... Should it go in this draft, or should I work with
> Patrick Wallstrom to flesh out that draft? Will this draft reference
> the other one?
>
> General DNSSEC hygeine is out of scope for this draft, so better that you
wo
> On May 16, 2018, at 2:38 PM, Jacques Latour wrote:
>
> The intent of the document at bootstrap is for the parent to perform
> sufficient tests to ensure they are conformable in bootstrapping the chain of
> trust, I agree with you that these tests and other could be performed by the
> paren
ain the DS record is included right away. Any issues
with that?
-Original Message-
From: DNSOP On Behalf Of Viktor Dukhovni
Sent: May 15, 2018 4:11 PM
To: dnsop
Subject: Re: [DNSOP] Acceptance processing in
draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4
> On
> On May 15, 2018, at 3:57 PM, John Levine wrote:
>
> I think it's a swell idea to offer people DNSSEC testing services but
> it's hopeless to conflate it with key rotation.
I completely agree with you on key rotation, once the zone has already
been operating signed. But the document also cov
In article <8e5d5d6c-6893-473d-a2fe-dcb0b46e7...@dukhovni.org> you write:
>Some of the more subtle, but still very important failure modes
>are not obvious unless *tested*. It is would be a disservice to
>the ecosystem to blindly turn on only partly working DNSSEC which
>is actually broken in impo
> On May 15, 2018, at 2:29 PM, John Levine wrote:
>
> I think you will find that attempts to legislate against being stupid
> do not generally turn out well. It makes sense to check for mistakes
> that might screw up the upper level name server like an invalid
> algorithm number, but if they w
In article <1d06889c-770f-4f92-bf06-a76338aeb...@dukhovni.org> you write:
>For example, nazwa.pl has recently signed a bunch of domains with lame
>wildcard NS records under the zone apex. This breaks denial of existence
>for all child domains, including TLSA lookups, and therefore breaks email
>de
> On Apr 28, 2018, at 1:28 AM, Viktor Dukhovni wrote:
>
> So at this point I think we understand each other, and the issue comes down
> to whether it is appropriate for the registry to automatically turn on DS
> records for the first time for a domain which is substantively operationally
> d
> On Apr 27, 2018, at 3:23 PM, Matthew Pounsett wrote:
>
>> If the registry operator is going to automatically upgrade previously
>> insecure delegations to DNSSEC, then due diligence to make sure that this is
>> not going to cause outages is advisable. Once a domain is signed, TLSA and
>>
On 14 April 2018 at 17:05, Viktor Dukhovni wrote:
>
>
> > On Apr 14, 2018, at 4:26 PM, Matthew Pounsett
> wrote:
> >
> > These are getting into name server quality checks, and not security
> checks, which is the point of the acceptance testing. I don't agree that
> these should be part of this
> On Apr 14, 2018, at 4:26 PM, Matthew Pounsett wrote:
>
> These are getting into name server quality checks, and not security checks,
> which is the point of the acceptance testing. I don't agree that these
> should be part of this document.
If the registry operator is going to automatical
On 14 April 2018 at 12:54, Viktor Dukhovni wrote:
>
> A number of checks are listed in:
>
> https://tools.ietf.org/html/draft-ietf-regext-dnsoperator-
> to-rrr-protocol-04#section-3.4
>
> that are intended to make sure a domain is ready for DNSSEC.
>
> As I've been the DNSSEC and DANE implement
A number of checks are listed in:
https://tools.ietf.org/html/draft-ietf-regext-dnsoperator-to-rrr-protocol-04#section-3.4
that are intended to make sure a domain is ready for DNSSEC.
As I've been the DNSSEC and DANE implementations at now ~5.8 million domains,
I'd like to suggest some addi
13 matches
Mail list logo
