Mark Andrews wrote:
Just saying, facts are on my side. Check the number of times dnssec
caused an outage. Then check the number of hacks prevented by
dnssec. Literally 0.
How do you know? Unless you investigated every single time DNSSEC
validation returned bogus to get to the root cause you
Arne Jensen wrote:
Because every authoritative RRset in a zone must be protected by a
digital signature, RRSIG RRs must be present for names containing a
CNAME RR. This is a change to the traditional DNS specification
[RFC1034], which stated that if a CNAME is present for a
> On 10 Dec 2021, at 01:36, Ca By wrote:
>
>
>
> On Thu, Dec 9, 2021 at 1:07 AM Arne Jensen wrote:
> Den 08-12-2021 kl. 15:32 skrev Niels Bakker:
> > * darkde...@darkdevil.dk (Arne Jensen) [Wed 08 Dec 2021, 15:23 CET]:
> >> To me, that part of it also points towards a broken implementation
I understand now and I agree with you that there’s something fishy there.
Fear sells.
Thanks
Jean
From: Ca By
Sent: December 9, 2021 10:47 AM
To: Jean St-Laurent
Cc: Arne Jensen ; nanog@nanog.org
Subject: Re: Anyone else seeing DNSSEC failures from EU Commission ?
(european
*To:* Arne Jensen
> *Cc:* nanog@nanog.org
> *Subject:* Re: Anyone else seeing DNSSEC failures from EU Commission ? (
> european-union.europa.eu)
>
>
>
> and you feeding the vendor / hacker ddos death spiral
>
Ca By wrote on 09/12/2021 14:36:
Just saying, facts are on my side. Check the number of times dnssec
caused an outage. Then check the number of hacks prevented by dnssec.
Literally 0.
it serves a purpose. There are plenty of actors, both public and
private sector, who would be happy to
What is a ddos death spiral?
Jean
From: NANOG On Behalf Of Ca By
Sent: December 9, 2021 9:36 AM
To: Arne Jensen
Cc: nanog@nanog.org
Subject: Re: Anyone else seeing DNSSEC failures from EU Commission ?
(european-union.europa.eu)
and you feeding the vendor / hacker ddos death spiral
I’m not sure what you’re talking about. DNSSEC is alive and well and protects
DNS in-flight from modification. Any client with proper DNSSEC implemented will
drop any forged DNS response from an attackers dns server and prevent them from
loading whatever resource they were trying to access.
On Thu, Dec 9, 2021 at 1:07 AM Arne Jensen wrote:
> Den 08-12-2021 kl. 15:32 skrev Niels Bakker:
> > * darkde...@darkdevil.dk (Arne Jensen) [Wed 08 Dec 2021, 15:23 CET]:
> >> To me, that part of it also points towards a broken implementation at
> >> CloudFlare, letting a bogus (insecure)
Den 08-12-2021 kl. 15:32 skrev Niels Bakker:
* darkde...@darkdevil.dk (Arne Jensen) [Wed 08 Dec 2021, 15:23 CET]:
To me, that part of it also points towards a broken implementation at
CloudFlare, letting a bogus (insecure) responses take effect anyway.
Or they prefer allowing people to visit
Den 08-12-2021 kl. 16:23 skrev Masataka Ohta:
Arne Jensen wrote:
It is my understanding that the CNAME should never have been followed,
Wrong.
Hmm, okay.
-> https://www.rfc-editor.org/rfc/rfc4034.txt
Section 3, "The RRSIG Resource Record", at the third phrase:
Because every
Ca By wrote:
It’s quite common for DNSSEC to fail at spectacular scale
What’s uncommon? Attacks that DNSSEC is intended to solve.
DNSSEC is considered harmful on the internet
Correct.
The problem is that PKI, in general, does not offer cryptographic
security but just assumes
Arne Jensen wrote:
It is my understanding that the CNAME should never have been followed,
Wrong.
since there isn't any covering RRSIG for the actual CNAME, exactly as
the elaborative message on dnsviz.net claims.
That CNAME RR is authenticated means it securely points to some
other domain
On Wed, Dec 8, 2021 at 6:35 AM Niels Bakker wrote:
> * darkde...@darkdevil.dk (Arne Jensen) [Wed 08 Dec 2021, 15:23 CET]:
> >To me, that part of it also points towards a broken implementation at
> >CloudFlare, letting a bogus (insecure) responses take effect anyway.
>
> Or they prefer allowing
* darkde...@darkdevil.dk (Arne Jensen) [Wed 08 Dec 2021, 15:23 CET]:
To me, that part of it also points towards a broken implementation at
CloudFlare, letting a bogus (insecure) responses take effect anyway.
Or they prefer allowing people to visit websites over punishing
system administrators
Den 08-12-2021 kl. 14:35 skrev Marco Davids (Private) via NANOG:
Hi Laura,
Something seems the matter, indeed:
https://dnsviz.net/d/european-union.europa.eu/YbCzrQ/dnssec/
It's weird; 1.1.1.1 resolves, 8.8.8.8 and 9.9.9.9 return SERVFAIL.
It is my understanding that the CNAME should never
Thanks Stephane. I've subsequently had confirmation on the grapevine (indirect
comms with CERT-EU) that they are indeed aware of a DNS issue but no detail or
estimated fix time.
‐‐‐ Original Message ‐‐‐
On Wednesday, December 8th, 2021 at 13:40, Stephane Bortzmeyer
wrote:
> On Wed,
On Wed, Dec 08, 2021 at 01:27:23PM +,
Laura Smith via NANOG wrote
a message of 18 lines which said:
> Bit of a long stretch given the US audience, but I'm seeing lots of things
> like this at the moment:
Indeed, they botched DNSSEC
On 12/8/21 15:27, Laura Smith via NANOG wrote:
Bit of a long stretch given the US audience, but I'm seeing lots of things like
this at the moment:
info: validation failure : key for validation
european-union.europa.eu. is marked as invalid because of a previous validation failure
: DS
Hi Laura,
Something seems the matter, indeed:
https://dnsviz.net/d/european-union.europa.eu/YbCzrQ/dnssec/
It's weird; 1.1.1.1 resolves, 8.8.8.8 and 9.9.9.9 return SERVFAIL.
--
Marco
Op 08-12-2021 om 14:27 schreef Laura Smith via NANOG:
Bit of a long stretch given the US audience, but I'm
20 matches
Mail list logo