Re: [DNSOP] SSAC: Testing Firewalls for IPv6 and EDNS0 Support

2007-01-06 Thread Mark Andrews
. It would be nice if the first fragment could be sent last, perhaps a second box could delay the initial fragment by 20 ms or so. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED

Re: Fwd: [DNSOP] Re: I-D ACTION:draft-ietf-dnsop-reverse-mapping-considerations-02.txt

2007-03-26 Thread Mark Andrews
it fourth in the world in overall visitors. http://www.corp.aol.com/whoweare/facts.shtml --Dean -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED

Re: [DNSOP] Fwd:

2007-05-08 Thread Mark Andrews
On 8-May-2007, at 09:59, [EMAIL PROTECTED] wrote: On 7-May-2007, at 23:04, Mark Andrews wrote: You say that one should not be worried about answers from these servers. This needs to be clarified to state what a normal answer is both for PTR QUERY and UPDATE. NXDOMAIN

Re: [DNSOP] draft-ietf-dnsop-default-local-zones-01

2007-06-06 Thread Mark Andrews
never wrong, you're not trying hard enough ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL

Re: [DNSOP] draft-ietf-dnsop-default-local-zones-01

2007-06-07 Thread Mark Andrews
. Not nobody.invalid.? [EMAIL PROTECTED] is likely to be a real mailbox. [EMAIL PROTECTED] should bounce. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED

Re: [DNSOP] /etc/hosts: ::1 localhost or ::1 ip6-localhost (or both and also make ip4-localhost) ?

2007-06-08 Thread Mark Andrews
--===0441596507==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] draft-ietf-dnsop-default-local-zones-01

2007-06-08 Thread Mark Andrews
On Fri, Jun 08, 2007 at 02:57:35PM +1000, Mark Andrews wrote: I also concur with the various protests against using . for the RNAME, and would suggest instead nobody.localhost. along with a ref to 2606. That should be sufficiently clear to any human who looks at it, and also meets

Re: [DNSOP] reverse-mapping issue 18: RFC 1912

2007-06-25 Thread Mark Andrews
___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list

Re: [DNSOP] WGLC for draft-ietf-dnsop-respsize-07.txt

2007-07-25 Thread Mark Andrews
. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Re: getaddrinfo() and searching

2007-09-28 Thread Mark Andrews
--On Friday, 28 September, 2007 09:48 +1000 Mark Andrews [EMAIL PROTECTED] wrote: ... It's not. Even without IPv6, having search domains means you can get unexpected results. If that's not acceptable, don't complain, but put a period behind your FQDNs. Please state

Re: [DNSOP] Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP

2007-10-01 Thread Mark Andrews
On Oct 1, 2007, at 7:42 PM, Mark Andrews wrote: As for the TSIG or SIG(0) recommendation, I'm not sure what the numbers are for client support today, but I suspect it's at best an negligible sample. Well all Windows XP/2003/Vista boxes can be configured to support TSIG

Re: [DNSOP] Always registering the IP address of the name serversduring a delegation?

2007-11-28 Thread Mark Andrews
3525500 F +31 26 3525505 M +31 6 23368970 E [EMAIL PROTECTED] W http://www.sidn.nl/ ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61

Re: [DNSOP] AS112 for TLDs

2007-12-03 Thread Mark Andrews
iterative resolver in the world. You then don't have to use AS112 to absorb the load. The local resolver will answer the query. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED

Re: [DNSOP] Re: AS112 for TLDs

2007-12-04 Thread Mark Andrews
to be formalized in an expanded draft of the current ops document, or not (I think the floor is open on that one for comments). wfms This is using a hammer as a screwdriver. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL

Re: [DNSOP] Re: AS112 for TLDs

2007-12-05 Thread Mark Andrews
Mark Andrews wrote: It's been done. IT DOES NOT WORK. named has code to prevent the records being added because IT DOES NOT WORK and we got sick and tired of telling people who ran up against sites that did it that IT DOES NOT WORK. It's better to prevent than

Re: [DNSOP] Re: AS112 for TLDs

2007-12-05 Thread Mark Andrews
This is a multi-part message in MIME format. --070503020104070709050909 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Mark Andrews wrote: Actually no. That is not correct. I did some experimentation using BIND 8 and 9 as root

Re: [DNSOP] Re: AS112 for TLDs

2007-12-05 Thread Mark Andrews
-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Re: AS112 for TLDs

2007-12-05 Thread Mark Andrews
Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED

Re: [DNSOP] Re: AS112 for TLDs

2007-12-05 Thread Mark Andrews
; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop --080203070704010404050306-- -- Mark Andrews, ISC 1

Re: [DNSOP] AS112 for TLDs

2008-04-03 Thread Mark Andrews
There really is only one solution to preventing bogus traffic reaching the root servers and that is to run a local copy of the root zone. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET

Re: [DNSOP] AS112 for TLDs

2008-04-03 Thread Mark Andrews
On Fri, Apr 04, 2008 at 09:05:25AM +1100, Mark Andrews wrote: There really is only one solution to preventing bogus traffic reaching the root servers and that is to run a local copy of the root zone. er, it (the bogus ttraffic) still reaches the root. just

Re: [DNSOP] AS112 for TLDs

2008-04-04 Thread Mark Andrews
On Fri, Apr 04, 2008 at 07:37:31AM -0700, David Conrad wrote: On Apr 4, 2008, at 7:02 AM, Andrew Sullivan wrote: On Fri, Apr 04, 2008 at 02:16:32PM +1100, Mark Andrews wrote: er, it (the bogus ttraffic) still reaches the root. just your copy of the root, not mine

Re: [DNSOP] AS112 for TLDs

2008-04-07 Thread Mark Andrews
Dear colleagues, Not to pick on Mark, but I have the sinking feeling that this discussion is a good example of why some operators think the IETF doesn't understand operational problems. On Sat, Apr 05, 2008 at 10:07:54AM +1100, Mark Andrews wrote: I said COPY. I did not say

Re: [DNSOP] Localhost entries in zones

2008-04-14 Thread Mark Andrews
qualified, initially by .ARPA then by other suffixes. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org

Re: [DNSOP] Services and top-level DNS names

2008-07-04 Thread Mark Andrews
(Thread originated on main IETF mailing list...) In a discussion concerning new TLD names and namespace collisions that might (and to some extent, are likely to) occur, Mark Andrews wrote: So the problem isn't whether some string not listed in 2606 can be allocated, it is how

Re: [DNSOP] Services and top-level DNS names

2008-07-06 Thread Mark Andrews
@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org

Re: [DNSOP] I-D ACTION:draft-licanhuang-dnsop-distributeddns-04.txt

2008-07-08 Thread Mark Andrews
/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Kaminsky on djbdns bugs (fwd)

2008-08-11 Thread Mark Andrews
of implementations. TCP only addresses one of the issues. Masataka Ohta ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St

Re: [DNSOP] Kaminsky on djbdns bugs (fwd)

2008-08-11 Thread Mark Andrews
to disclose you private key. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Kaminsky on djbdns bugs (fwd)

2008-08-15 Thread Mark Andrews
/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] A different question (was Re: Kaminsky on djbdns bugs (fwd))

2008-08-16 Thread Mark Andrews
turned on DNSSEC? Masataka Ohta ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE

Re: [DNSOP] A different question (was Re: Kaminsky on djbdns bugs (fwd))

2008-08-17 Thread Mark Andrews
Mark Andrews wrote: Considering that two RRs each containing 2048 bit data will need oversized messages, they may not be properly treated by some servers. Those suffering from oversized messages may turn-off DNSSEC and there is instability for those moving with their laptops

Re: [DNSOP] Pointless FUD and confusion about DNSSEC deployment

2008-08-17 Thread Mark Andrews
/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Pointless FUD and confusion about DNSSEC deployment

2008-08-17 Thread Mark Andrews
Mark Andrews wrote: RFC 4035 requires the upstream cache to be RFC 4035 aware. Thanks. As examplified by assumptions of RFC3225, that's a so unrealistic requirement that no further discussion on DNSSEC is necessary. PERIOD. Given just about anyone can configure a validator

Re: [DNSOP] A different question (was Re: Kaminsky on djbdns bugs (fwd))

2008-08-20 Thread Mark Andrews
. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] A different question

2008-08-20 Thread Mark Andrews
the policy with the policy consumer. If you have a validating stub resolver you need to think about what cache it talks to. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED

Re: [DNSOP] A different question

2008-08-20 Thread Mark Andrews
a caching nameserver. Authoritative nameserver to iterative client works. Masataka Ohta -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED

Re: [DNSOP] A different question

2008-08-20 Thread Mark Andrews
failures due to one of the three issues I mention above. In any event, I have an answer to my question... Regards, -drc ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St

Re: [DNSOP] A different question

2008-08-20 Thread Mark Andrews
Mark Andrews wrote: BTW, DNS is definitely not end-to-end, because it relies on intelligent intermediate eitities of name servers. Actually it doesn't. It can be configured that way but there is no requirement to actually use a caching nameserver. I'm not talking about

Re: [DNSOP] A different question

2008-08-20 Thread Mark Andrews
On Aug 20, 2008, at 6:00 PM, Mark Andrews wrote: Caches will cope with all of the above. There may be some retries. The retries will be logged by some caches. The broken middle boxes will get fixed/replaced. Mark, is it the case that BIND is setting the DO bit

Re: [DNSOP] A different question

2008-08-20 Thread Mark Andrews
Mark Andrews wrote: Because DNS is not end to end, DNSSEC is not secure end to end. Root, TLD and other zones between you and a zone of your peer are the targets of MitM attacks on DNSSEC. Which can be removed if needed by exchanging trust anchors with peers. You can't

Re: [DNSOP] A different question

2008-08-20 Thread Mark Andrews
On Aug 20, 2008, at 6:56 PM, Mark Andrews wrote: DO is not controlled by dnssec-enable or dnssec-validation. DNSSEC is designed to be validator to authoritative server. If you introduce caches then you need to ensure that your cache is doing something

Re: [DNSOP] A different question

2008-08-21 Thread Mark Andrews
Andrew Sullivan wrote: On Fri, Aug 22, 2008 at 12:01:16AM +1000, Mark Andrews wrote: The issues David was pointing out have been visible for years. So to has the recovery behaviour if one choose to look for it. There is nothing new in what David has been saying. I

Re: [DNSOP] A different question

2008-08-21 Thread Mark Andrews
are insurmountable and I am not only happy to start pushing boulder, I've already begun. Matt ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia

Re: [DNSOP] EDNS0, the DO bit and acceptance of responses [Re: A different question]

2008-08-22 Thread Mark Andrews
not a issue with BIND 9.1 or BIND 9.2. They will just ignore the DNSSEC-4035 records. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP

Re: [DNSOP] Cache poisoning on DNSSEC

2008-08-26 Thread Mark Andrews
-ipngwg-bsd-frag-01 Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] A different question

2008-08-26 Thread Mark Andrews
On Sat, 23 Aug 2008, Mark Andrews wrote: On Fri, 22 Aug 2008, Mark Andrews wrote: David do you have a nameserver we can bounce queries off which has the root zone signed as it would be in production? VeriSign's root DNSSEC testbed is serving a root zone

Re: [DNSOP] A different question

2008-08-26 Thread Mark Andrews
needed more caffeine. Regards, -drc ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL

Re: [DNSOP] Another TLD intending to sign soon

2008-08-27 Thread Mark Andrews
attack here. (2) replay attacks are possible during the lifetimes of zone signatures, which would either convince the target that a zone that has been removed still exists, or that a zone that has been added does not exist. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley

Re: [DNSOP] Cache poisoning on DNSSEC

2008-08-28 Thread Mark Andrews
___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP

Re: [DNSOP] Cache poisoning on DNSSEC

2008-08-28 Thread Mark Andrews
by using a replacement strategy for the KSK. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ DNSOP mailing list DNSOP@ietf.org https

Re: [DNSOP] Cache poisoning on DNSSEC

2008-08-28 Thread Mark Andrews
is always ready and willing to do so, I disagree, based on empirical evidence. So do I. See my other posts. Mark --bill Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET

Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC

2008-09-02 Thread Mark Andrews
factors available than those you can produce using the root servers. The roots still only send unfragmented UDP responses. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED

Re: [DNSOP] [dns-operations] Signed .cz zone

2008-09-02 Thread Mark Andrews
div id=hlavicka style=background-image: url('http://img.nic.cz/nic_bg_hlavicka_en.gif') Firefox complains about insecure content. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED

Re: [DNSOP] I think we may have a solution - DNSCurve

2008-09-02 Thread Mark Andrews
. There are other rcodes that DNSSEC does not cover but NXDOMAIN is not one of them. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED

Re: [DNSOP] DNSKEY / multiprecision number format? (fwd)

2008-09-02 Thread Mark Andrews
to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley

Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

2008-09-04 Thread Mark Andrews
It's not a issue. You remove the DS's which have that algorithm then once they have expired from caches you can remove the DNSKEY. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL

Re: [DNSOP] suggestion for 4641bis: key algorithm rollover section

2008-09-04 Thread Mark Andrews
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark Andrews wrote: It's not a issue. You remove the DS's which have that algorithm then once they have expired from caches you can remove the DNSKEY. That could still leave the zone itself in an inconsistent state... I'm

Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt

2008-09-09 Thread Mark Andrews
everyone to deploy BCP 38, wherever possible, I don't believe we should be relying on BCP 38 deployment to prevent recursive servers being abused. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED

Re: [DNSOP] question on nameserver management reqs draft

2008-09-11 Thread Mark Andrews
to Section 3.2.2 - 3.2.5 I can envision a role that would need to view configuration options, but would not be allowed to modify, add or delete (e.g. some security auditor). Scott Sounds reasonable. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE

Re: [DNSOP] I-D Action:draft-liman-tld-names-00.txt

2009-03-04 Thread Mark Andrews
Shinkuro, Inc. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: [DNSOP] I-D Action:draft-liman-tld-names-00.txt

2009-03-06 Thread Mark Andrews
Shinkuro, Inc. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: [DNSOP] Truncation discussion in draft-ietf-dnsop-dnssec-trust-anchor-02

2009-03-09 Thread Mark Andrews
prevents pre-publishing of keys. I can see no real reason to recommend that DS records be published in preference to DNSKEY records. DNSKEY - DS is a conversion that can be at anytime. This make DNSKEY a better manditory record to publish. Mark -- Mark

Re: [DNSOP] Truncation discussion in draft-ietf-dnsop-dnssec-trust-anchor-02

2009-03-09 Thread Mark Andrews
In message f7c89744-a1ca-4fd6-b793-2f4e337e3...@verisign.com, David Blacka wr ites: On Mar 9, 2009, at 5:35 PM, Mark Andrews wrote: On a related issue DS - DNSKEY translations cannot be performed until the DNSKEY is published in the zone. The use of DS prevents pre

Re: [DNSOP] Truncation discussion in draft-ietf-dnsop-dnssec-trust-anchor-02

2009-03-09 Thread Mark Andrews
In message 20090310041105.ga4...@vacation.karoshi.com., bmann...@vacation.kar oshi.com writes: On Tue, Mar 10, 2009 at 08:35:40AM +1100, Mark Andrews wrote: In message 200903091515.n29ffetp055...@stora.ogud.com, Olafur Gudmundsson wri tes: --===0733757033== Content

Re: [DNSOP] Truncation discussion in draft-ietf-dnsop-dnssec-trust-anchor-02

2009-03-09 Thread Mark Andrews
In message 20090310041254.gb4...@vacation.karoshi.com., bmann...@vacation.kar oshi.com writes: On Tue, Mar 10, 2009 at 12:55:51PM +1100, Mark Andrews wrote: In message f7c89744-a1ca-4fd6-b793-2f4e337e3...@verisign.com, David Black a wr ites: On Mar 9, 2009, at 5:35 PM, Mark

Re: [DNSOP] Truncation discussion in draft-ietf-dnsop-dnssec-trust-anchor-02

2009-03-10 Thread Mark Andrews
In message a06240804c5dc2ddef...@[10.31.200.116], Edward Lewis writes: At 8:35 +1100 3/10/09, Mark Andrews wrote: This make DNSKEY a better manditory record to publish. While there's little empirical data on trust anchors to date, my inclination is to whole-heartedly disagree

Re: [DNSOP] DS vs DNSKEY trust anchors, was Re: Truncation...

2009-03-11 Thread Mark Andrews
In message a06240800c5dd7e5f2...@[10.31.200.116], Edward Lewis writes: At 8:19 +1100 3/11/09, Mark Andrews wrote: In message a06240804c5dc2ddef...@[10.31.200.116], Edward Lewis writes: record involves less typing than a DNSKEY, I'd want to work with a DS record. Has anyone

Re: [DNSOP] RFC1035 and permitted characters in labels

2009-03-11 Thread Mark Andrews
. But that's not the same as a domain name. PS Apologies for changing the Subject: header into something appropriate. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas

Re: [DNSOP] AD bit set by authoritative servers [was: Re: More solicitation for feedback on dns64]

2009-03-26 Thread Mark Andrews
server. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] MX 0 . standard way of saying we don't do email ?

2009-04-10 Thread Mark Andrews
This has been proposed in the past and is consistent with how SRV signals no support. FUD has always shot it down. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: [DNSOP] MX 0 . standard way of saying we don't do email ?

2009-04-13 Thread Mark Andrews
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] where is the validating resolver ?

2009-05-06 Thread Mark Andrews
the response to validate, even though the intermediate system (i.e. recursing resolver) doesn't. Or clock skew or -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: [DNSOP] [dnssec-deployment] Problems with DS change in registry/registrar environment

2009-06-30 Thread Mark Andrews
is available here: http://mail.shinkuro.com:8100/List= s/dnssec-deployment/ and older material is at http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/ -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: [DNSOP] [dnssec-deployment] Problems with DS change in registry/registrar environment

2009-06-30 Thread Mark Andrews
In message 4a4a292d.20...@digsys.bg, Daniel Kalchev writes: Mark Andrews wrote: This is simultaneous roll of KSK and ZSK keys. You introduce the keys the *same* way as you would with a single operator. The new operator generates new keys. The are added

Re: [DNSOP] Stockholm meeting slot assignment CHANGED

2009-07-07 Thread Mark Andrews
___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop I don't know what behave's adgena is but there will be DNS topic there. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742

Re: [DNSOP] Comments on draft-livingood-dns-redirect-00

2009-07-14 Thread Mark Andrews
possible, to submit such a request. If the zone is signed it can be reasonably assumed that the owner doesn't want the answers modified as they have taken steps to ensure that such modifications are detected. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61

Re: [DNSOP] Review of draft-livingood-dns-redirect-00

2009-07-15 Thread Mark Andrews
be able to make it to the portal page. I do agree that it makes it more complicated. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ DNSOP mailing list DNSOP

Re: [DNSOP] Review of draft-livingood-dns-redirect-00

2009-07-16 Thread Mark Andrews
In message alpine.lfd.1.10.0907160212170.20...@newtla.xelerance.com, Paul Wouter s writes: On Thu, 16 Jul 2009, Mark Andrews wrote: How would this work? With portals that are only available to internal servers you are grafting on namespace and you configure your validator to know

Re: [DNSOP] Review of draft-livingood-dns-redirect-00

2009-07-16 Thread Mark Andrews
over time as the world moves to IPv6. There is very little collateral damage being done by DNS64. There is a lot of collateral damage when you map NXDOMAIN/NXRRSET to a search page. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742

Re: [DNSOP] Question about detecting generated local-zones (relates todraft-ietf-dnsop-default-local-zones-08)

2009-07-28 Thread Mark Andrews
mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ DNSOP mailing list DNSOP@ietf.org https

Re: [DNSOP] Draft on rDNS for IPv6: draft-howard-isp-ip6rdns-00

2009-08-31 Thread Mark Andrews
IPv6 zones. 4.4) draft-howard-isp-ip6rdns-00.txt [Alain Durand][15 min][10:30] Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ DNSOP mailing list

Re: [DNSOP] Draft on rDNS for IPv6: draft-howard-isp-ip6rdns-00

2009-08-31 Thread Mark Andrews
In message 4a9c783e.8090...@dougbarton.us, Doug Barton writes: Mark Andrews wrote: This was on the adgena for DNSOP at the last IETF 75. There was much discussion. Sorry if I'm rehashing this unnecessarily. I did (an admittedly cursory) search of my list archive and didn't see

Re: [DNSOP] Draft on rDNS for IPv6: draft-howard-isp-ip6rdns-00

2009-09-01 Thread Mark Andrews
In message 1251822081.3172.8887.ca...@shane-asus-laptop, Shane Kerr writes: Mark, On Tue, 2009-09-01 at 11:52 +1000, Mark Andrews wrote: If you deploy BCP 38 to the customer level TCP is a good enough authenticator for updating a reverse zone via UPDATE. As I mentioned at the IETF

Re: [DNSOP] Draft on rDNS for IPv6: draft-howard-isp-ip6rdns-00

2009-09-02 Thread Mark Andrews
small fraction of the infrastructural cost. Does it make sense to pursue such a protocol? If so, where would this work best be done? -- Shane ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews

Re: [DNSOP] Draft on rDNS for IPv6: draft-howard-isp-ip6rdns-00

2009-09-02 Thread Mark Andrews
In message 1023e5ce-4faf-4977-84b1-e26693307...@virtualized.org, David Conrad writes: On Sep 2, 2009, at 5:36 PM, Mark Andrews wrote: With IPv6 the address blocks should be stable to ALL customers. Buy stock in memory manufacturers for routing vendors. People don't move house very often

Re: [DNSOP] Draft on rDNS for IPv6: draft-howard-isp-ip6rdns-00

2009-09-02 Thread Mark Andrews
In message 200909030211.n832buty082...@drugs.dv.isc.org, Mark Andrews writes: In message 1023e5ce-4faf-4977-84b1-e26693307...@virtualized.org, David Conr ad writes: On Sep 2, 2009, at 5:36 PM, Mark Andrews wrote: With IPv6 the address blocks should be stable to ALL customers. Buy

Re: [DNSOP] Draft on rDNS for IPv6: draft-howard-isp-ip6rdns-00

2009-09-03 Thread Mark Andrews
In message 002701ca2caf$549d3bd0$fdd7b3...@org, Lee Howard writes: -Original Message- From: dnsop-boun...@ietf.org [mailto:dnsop-boun...@ietf.org] On Behalf Of Mark Andrews Sent: Monday, August 31, 2009 9:53 PM To: Doug Barton Cc: dnsop Subject: Re: [DNSOP] Draft

Re: [DNSOP] A practical solution for ISP-level support of the reverse DNS tree for IPv6

2009-09-03 Thread Mark Andrews
is just long term dynamic. For ISPs that do neither manual allocation nor DHCPv6, implementation is problematic, but I don't know of any. I'd be curious to know if anybody is aware of any alternativees for doing this that would work in practice. -- Mark Andrews, ISC 1 Seymour St

Re: [DNSOP] A practical solution for ISP-level support of the reverse DNS tree for IPv6

2009-09-07 Thread Mark Andrews
In message 63fd8b00-b74f-465e-95c8-129a69f52...@nominum.com, Ted Lemon writes : On Sep 3, 2009, at 6:37 PM, Mark Andrews wrote: First what DoS that doesn't exist today? Updates already get sent to the ISP's {IN-ADDR,IP6}.ARPA servers. If you do prefix delegation, you're delegating

Re: [DNSOP] Draft on rDNS for IPv6: draft-howard-isp-ip6rdns-00

2009-09-07 Thread Mark Andrews
Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] A practical solution for ISP-level support of the reverse DNS tree for IPv6

2009-09-07 Thread Mark Andrews
In message f4529f1d-1a2f-48be-bf7c-e06419c07...@nominum.com, Ted Lemon writes : On Sep 7, 2009, at 6:52 PM, Mark Andrews wrote: /56 should be typical for homes /48 should be typical for businesses I don't think this is germane to the discussion. My point in mentioning /64

Re: [DNSOP] Key Management and Provisioningl was Re: .PR ...

2009-09-08 Thread Mark Andrews
this regularly or you may miss a rollover event. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma

Re: [DNSOP] Key Management and Provisioningl was Re: .PR ...

2009-09-08 Thread Mark Andrews
mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ DNSOP mailing list DNSOP@ietf.org https

Re: [DNSOP] Key Management and Provisioningl was Re: .PR ...

2009-09-10 Thread Mark Andrews
, -drc ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: [DNSOP] Key Management and Provisioningl was Re: .PR ...

2009-09-10 Thread Mark Andrews
___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ DNSOP mailing

Re: [DNSOP] DLVs and ITAR

2009-09-11 Thread Mark Andrews
ensure you have procedures in place to keep the trust anchors up to date as the ITAR will regularly add and remove keys. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: [DNSOP] DLVs and ITAR

2009-09-11 Thread Mark Andrews
In message c6d0299b.15ca1%kim.dav...@icann.org, Kim Davies writes: Hi Mark, On 11/09/09 4:01 PM, Mark Andrews ma...@isc.org wrote: =20 IANA still has not provided timing guidance. =20 IANA can you please specifiy a maximum polling interval on this page and inform the TLD's using ITAR

Re: [DNSOP] DLVs and ITAR

2009-09-11 Thread Mark Andrews
In message 200909112347.n8bnl2d9009...@drugs.dv.isc.org, Mark Andrews writes: In message c6d0299b.15ca1%kim.dav...@icann.org, Kim Davies writes: Hi Mark, On 11/09/09 4:01 PM, Mark Andrews ma...@isc.org wrote: =20 IANA still has not provided timing guidance. =20 IANA can you

Re: [DNSOP] Key Management and Provisioningl was Re: .PR ...

2009-09-11 Thread Mark Andrews
ITAR polling interval so that no extra delay is added. Mark Roy ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742

  1   2   3   4   5   6   7   8   >