Re: 2019-01-11 ARIN.NET DNSSEC Outage – Post-Mortem (was: Re: ARIN NS down?)

2019-01-14 Thread Stephane Bortzmeyer
On Fri, Jan 11, 2019 at 08:59:10PM +, John Curran wrote a message of 125 lines which said: > Our monitoring systems reported being green until the signatures > expired as they presently check that the SOA's match on the internal > and external nameservers. For checking of DNSSEC signature

2019-01-11 ARIN.NET DNSSEC Outage – Post-Mortem (was: Re: ARIN NS down?)

2019-01-11 Thread John Curran
On 11 Jan 2019, at 10:39 AM, John Curran mailto:jcur...@arin.net>> wrote: On Fri, Jan 11, 2019 at 07:57:25PM +0530, couldn't get address for 'ns1.arin.net': not found Folks - This has been resolved - arin.net zone is again correctly signed. Post-mort

Re: Dnssec still inoperable on the internet ?— was ARIN NS down?

2019-01-11 Thread Ca By
On Fri, Jan 11, 2019 at 10:54 AM Mikael Abrahamsson wrote: > On Fri, 11 Jan 2019, Ca By wrote: > > > Thanks for the update that dnssec STILL causes more real world problems > > than it solves. > > Do you feel the same way about RPKI? > Misorgination is a real threat we see all the time (threat o

Re: Dnssec still inoperable on the internet ?— was ARIN NS down?

2019-01-11 Thread Mikael Abrahamsson
On Fri, 11 Jan 2019, Ca By wrote: Thanks for the update that dnssec STILL causes more real world problems than it solves. Do you feel the same way about RPKI? -- Mikael Abrahamssonemail: swm...@swm.pp.se

Re: Dnssec still inoperable on the internet ?— was ARIN NS down?

2019-01-11 Thread Antonios Chariton
Maybe a Report-URI for DNSSEC Validation Errors? :-) > On 11 Jan 2019, at 20:16, Randy Bush wrote: > >> It's because you see problems it causes, and do not see problems it >> solves ;) >> >>> Thanks for the update that dnssec STILL causes more real world problems >>> than it solves. > > hmmm.

Re: Dnssec still inoperable on the internet ?― was ARIN NS down?

2019-01-11 Thread Randy Bush
> It's because you see problems it causes, and do not see problems it > solves ;) > >> Thanks for the update that dnssec STILL causes more real world problems >> than it solves.  hmmm. has anyone set about to measure that? randy

Re: Dnssec still inoperable on the internet ?— was ARIN NS down?

2019-01-11 Thread Max Tulyev
like nasa, so > can you. No your threats and deploy wisely > > -- Forwarded message - > From: *John Curran* mailto:jcur...@istaff.org>> > Date: Fri, Jan 11, 2019 at 6:36 AM > Subject: Re: ARIN NS down? > To: Suresh Ramasubramanian <mailto:ops

Re: Dnssec still inoperable on the internet ?— was ARIN NS down?

2019-01-11 Thread Ca By
On Fri, Jan 11, 2019 at 8:10 AM Stephane Bortzmeyer wrote: > On Fri, Jan 11, 2019 at 07:58:25AM -0800, > Ca By wrote > a message of 488 lines which said: > > > No your threats and deploy wisely > > Say no to the threats :-) > This is nanog, so i used the cisco no Its like , negate threats :)

Re: Dnssec still inoperable on the internet ?— was ARIN NS down?

2019-01-11 Thread Stephane Bortzmeyer
On Fri, Jan 11, 2019 at 07:58:25AM -0800, Ca By wrote a message of 488 lines which said: > No your threats and deploy wisely Say no to the threats :-)

Dnssec still inoperable on the internet ?— was ARIN NS down?

2019-01-11 Thread Ca By
:36 AM Subject: Re: ARIN NS down? To: Suresh Ramasubramanian CC: NANOG Suresh - We’re aware and working the problem. It looks to me like expired RRSIG/DNSKEY’s for the zone, so if you’re using a DNSSEC validating resolver (e.g. Google, Cloudflare, Cogent) then ARIN.NET <http://arin.net/&

Re: ARIN NS down?

2019-01-11 Thread John Curran
On Fri, Jan 11, 2019 at 07:57:25PM +0530, couldn't get address for 'ns1.arin.net': not found Folks - This has been resolved - arin.net zone is again correctly signed. Post-mortem forthcoming, /John John Curran President and CEO American Registry for Int

Re: ARIN NS down?

2019-01-11 Thread i3D.net - Martijn Schmidt
Is this the right time to ask whether everyone who operates DNSSEC validating resolvers was required to click somewhere on the ARIN website that they agree to be bound by the Relying Party Agreement before their resolver can make DNSSEC lookups against the ARIN nameservers? Or does that logic only

Re: ARIN NS down?

2019-01-11 Thread Stephane Bortzmeyer
On Fri, Jan 11, 2019 at 07:57:25PM +0530, Suresh Ramasubramanian wrote a message of 56 lines which said: > couldn't get address for 'ns1.arin.net': not found DNSSEC issue, they let the signatures expire

Re: ARIN NS down?

2019-01-11 Thread John Curran
Suresh - We’re aware and working the problem. It looks to me like expired RRSIG/DNSKEY’s for the zone, so if you’re using a DNSSEC validating resolver (e.g. Google, Cloudflare, Cogent) then ARIN.NET is unreachable. ARIN’s engineering team is working on resolution now. /Jo

ARIN NS down?

2019-01-11 Thread Suresh Ramasubramanian
couldn't get address for 'ns1.arin.net': not found couldn't get address for 'ns2.arin.net': not found couldn't get address for 'u.arin.net': not found couldn't get address for 'ns3.arin.net': not found dig: couldn't get address for 'ns1.arin.net': no more srs@Sureshs-MacBook-Pro-2 19:56:18 <~> $ d