Dns-operations

Popular Threads From Dns-operations:

Missing .us and GTLD records??

Online DNSSEC debugging tool now availalbe

.de DNS servers returning NXDOMAIN

The possible problems after May 5th

Uspto.gov

List Statistics

Total Threads: 386
Total Posts: 705

Phrases Used to Find This Thread

Page 1 of 1

01-07-2010 02:55 PM

Dns-operations member admin is online now

User

16-07-2010 08:21 AM

Dns-operations member admin is online now

User

16-07-2010 11:10 AM

Dns-operations member admin is online now

User

16-07-2010 01:15 PM

Dns-operations member admin is online now

User

16-07-2010 01:33 PM

Dns-operations member admin is online now

User

16-07-2010 02:16 PM

Dns-operations member admin is online now

User

16-07-2010 02:23 PM

Dns-operations member admin is online now

User

16-07-2010 02:39 PM

Dns-operations member admin is online now

User

16-07-2010 02:48 PM

Dns-operations member admin is online now

User

#10

16-07-2010 02:54 PM

Dns-operations member admin is online now

User

#11

16-07-2010 03:42 PM

Dns-operations member admin is online now

User

#12

16-07-2010 03:49 PM

Dns-operations member admin is online now

User

#13

16-07-2010 03:52 PM

Dns-operations member admin is online now

User

#14

16-07-2010 04:27 PM

Dns-operations member admin is online now

User

#15

16-07-2010 04:37 PM

Dns-operations member admin is online now

User

On Jul 16 2010, Phil Regnauld wrote:

>Frank Habicht (geier) writes:
>>
>> by a tool announced after the root was signed?
>> adding more work to accommodate a temp. band-aid that's obsolete the
>> sooner the better?
>>
>> I'm guessing / hoping ISC agree.
>> _IF_ i understand some things correctly then the purpose of DLV is on a
>> downwards slope now, right?
>
> Yes and no - I don't know ISC's intenet - Paul Vixie did say that
> DLV won't be necessary in the future, but there will still be
> islands of signed data with parents that don't sign.
>
> On the other hand, the pressue is greater on these TLDs/SLDs to
> get signing if DLV goes away and the root is signed. Either that
> or see security conscious users move to other domains.

I think we will have to wait at least until COM is signed and accepting
signed delegations before one can expect DLV to be "on a downward slope".

DLV RRset count in dlv.isc.org seems to remain on an upward trend at the
moment (1651 today, 1495 a month ago).

--
Chris Thompson University of Cambridge Computing Service,
Phone: +44 1223 334715 United Kingdom.

_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe. On Thu, Jul 15, 2010 at 03:15:12PM -0700,
a message of 15 lines which said:

> http://dnssec-de****.verisignlabs.com

The third one, after and
, no ?

For sources.org, a few nits:

1) there is a spurious warning "Unknown host
munzer.ipv6.bortzmeyer.org" which is clearly wrong, this machine has
an address and replies:
...
;; ANSWER SECTION:
sources.org. 86400 IN SOA ns3.bortzmeyer.org. hostmaster.bortzmeyer.org. 2010070400 7200 3600 604800 43200
...
;; SERVER: 2001:470:1f11:3aa::1#53(2001:470:1f11:3aa::1)

2) there is a warning "No DS records found for sources.org in the org
zone" whch is true but misleading (my registrar does not accept DS
yet, so I cannot do anything, anyway) because sources.org is in

3) there is a green light "Found 2 DNSKEY records for sources.org" but
there is no KSK/ZSK split in this domain. May be this should be
tested.

_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe.
On Jul 16, 2010, at 9:21 AM, Stephane Bortzmeyer wrote:

> On Thu, Jul 15, 2010 at 03:15:12PM -0700,
> a message of 15 lines which said:
>
>> http://dnssec-de****.verisignlabs.com
>
> The third one, after and
> , no ?

I like Duane's little tool. Not quite as pedantic and noisy as the other online checkers.

Well done Duane.

Roy
_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe.
I probably miss something,
but i have the below question.

On 7/16/2010 10:21 AM, Stephane Bortzmeyer wrote:
>................ because sources.org is in

by a tool announced after the root was signed?
adding more work to accommodate a temp. band-aid that's obsolete the
sooner the better?

I'm guessing / hoping ISC agree.
_IF_ i understand some things correctly then the purpose of DLV is on a
downwards slope now, right?

Frank
_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe. Frank Habicht (geier) writes:
>
> by a tool announced after the root was signed?
> adding more work to accommodate a temp. band-aid that's obsolete the
> sooner the better?
>
> I'm guessing / hoping ISC agree.
> _IF_ i understand some things correctly then the purpose of DLV is on a
> downwards slope now, right?

Yes and no - I don't know ISC's intenet - Paul Vixie did say that
DLV won't be necessary in the future, but there will still be
islands of signed data with parents that don't sign.

On the other hand, the pressue is greater on these TLDs/SLDs to
get signing if DLV goes away and the root is signed. Either that
or see security conscious users move to other domains.

Cheers,
Phil
_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe. >
> I like Duane's little tool. Not quite as pedantic and noisy as the other online checkers.
>
> Well done Duane.
>

The interface is quite simple and concise, and that is key for
utility. Keep up the good work, Duane.

Casey
_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe. Agreed, it is a nice tool.

Duane:

I notice that when "More detail" is clicked, it shows verification attempts where the KeyTag does not match, e.g.

RRSIG=754 and DNSKEY=55799 does not verify the DNSKEY RRset (Verification of RSA string generated error: Signature longer than key)

This seems to imply the KeyTag is not being checked before attempting to verify the signature.

Also, it hardly seems worth reporting this.

George

----- Original Message -----
Sent: Friday, July 16, 2010 11:10 AM
Subject: Re: [dns-operations] Online DNSSEC debugging tool now availalbe

> On Jul 16, 2010, at 9:21 AM, Stephane Bortzmeyer wrote:
>
>> On Thu, Jul 15, 2010 at 03:15:12PM -0700,
>> a message of 15 lines which said:
>>
>>> http://dnssec-de****.verisignlabs.com
>>
>> The third one, after and
>> , no ?
>
> I like Duane's little tool. Not quite as pedantic and noisy as the other online checkers.
>
> Well done Duane.
>
> Roy
> _______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe.
On Fri, Jul 16, 2010 at 03:15:06PM +0300,
a message of 20 lines which said:

> _IF_ i understand some things correctly then the purpose of DLV is
> on a downwards slope now, right?

That's wishful thinking. Several big TLD are not signed (co.uk, de,
com) and even when they are , the vast majority of registrars do not
allow transmission of DS records.
_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe. On Fri, Jul 16, 2010 at 03:39:22PM +0200, Stephane Bortzmeyer wrote:
> com) and even when they are , the vast majority of registrars do not
> allow transmission of DS records.

Surely the second of these is what we have a competitive market in
registration services for? I don't know about all registries, of
course, but in many registries it is possible to change your
registrar. So if you want to add your DS record, but your registrar
won't let you, it seems to me you can go find another registrar who
will. (Would a central clearing house wiki sort of thing to highlight
who does what where help?)

A

--
Andrew Sullivan
Shinkuro, Inc.
_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe. On Fri, Jul 16, 2010 at 09:48:34AM -0400,
a message of 22 lines which said:

> I don't know about all registries, of course, but in many registries
> it is possible to change your registrar.

For many signed TLD (.org for instance), there are only one or two
registrars which accept DS records.

> So if you want to add your DS record, but your registrar won't let
> you, it seems to me you can go find another registrar who will.

Also, if you move out of the IETF/OARC/RIPE world, DNSSEC is not
important enough to switch to another registrar (may be more expensive
or having other issues) just because of DNSSEC. Even I won't do that.

> (Would a central clearing house wiki sort of thing to highlight who
> does what where help?)

The equivalent of but for
DNSSEC would certainly be useful.
_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe. On 7/16/10 8:48 AM, Andrew Sullivan wrote:
> On Fri, Jul 16, 2010 at 03:39:22PM +0200, Stephane Bortzmeyer wrote:
>> com) and even when they are , the vast majority of registrars do not
>> allow transmission of DS records.
>
> Surely the second of these is what we have a competitive market in
> registration services for?

I secretly think all the gas stations in town call one another to set
equally high prices, certainly within an area. Perhaps the registrars
have phones too?

--Michael
_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe. On 2010-07-16, at 9:54 AM, Stephane Bortzmeyer wrote:

> On Fri, Jul 16, 2010 at 09:48:34AM -0400,
> a message of 22 lines which said:
>
>> I don't know about all registries, of course, but in many registries
>> it is possible to change your registrar.
>
> For many signed TLD (.org for instance), there are only one or two
> registrars which accept DS records.
>
>> So if you want to add your DS record, but your registrar won't let
>> you, it seems to me you can go find another registrar who will.
>
> Also, if you move out of the IETF/OARC/RIPE world, DNSSEC is not
> important enough to switch to another registrar (may be more expensive
> or having other issues) just because of DNSSEC. Even I won't do that.

My experience was that I moved to GoDaddy in order to get DNSSEC support for sanxion.org and found a nicer management interface and significantly reduced pricing as a bonus.

dave
_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe. On Jul 16, 2010, at 4:42 PM, Michael Graff wrote:

> I secretly think all the gas stations in town call one another to set
> equally high prices, certainly within an area. Perhaps the registrars
> have phones too?

Michael, are you claiming that registrars form a cartel against DNSSEC (or price fixing?)

Roy
_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe. On 7/16/10 9:52 AM, Roy Arends wrote:
> On Jul 16, 2010, at 4:42 PM, Michael Graff wrote:
>
>> I secretly think all the gas stations in town call one another to set
>> equally high prices, certainly within an area. Perhaps the registrars
>> have phones too?
>
> Michael, are you claiming that registrars form a cartel against DNSSEC (or price fixing?)

Certainly not, but it will take one to break the mold in some areas to
get the others to follow suit.

--Michael
_______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe. Trying not to make this a sales pitch so i apologize if it feels like one, but we do support DS upload at name.com to org, us, etc. and would love some DNS gurus and non-gurus to give us feedback

i agree it would be good to have a wiki somewhere that said which registrars support DNSSEC etc.

On Jul 16, 2010, at 8:42 AM, Michael Graff wrote:

> On 7/16/10 8:48 AM, Andrew Sullivan wrote:
>> On Fri, Jul 16, 2010 at 03:39:22PM +0200, Stephane Bortzmeyer wrote:
>>> com) and even when they are , the vast majority of registrars do not
>>> allow transmission of DS records.
>>
>> Surely the second of these is what we have a competitive market in
>> registration services for?
>
> I secretly think all the gas stations in town call one another to set
> equally high prices, certainly within an area. Perhaps the registrars
> have phones too?
>
> --Michael
> _______________________________________________
___________________________________________________

Posted on the Dns-operations mailing list. Go to https://lists.dns-oarc.net/mailman/listinfo/dns-operations to subscribe.

#16

16-07-2010 05:20 PM

Dns-operations member admin is online now

User

#17

16-07-2010 06:19 PM

Dns-operations member admin is online now

User

#18

16-07-2010 06:30 PM

Dns-operations member admin is online now

User

#19

17-07-2010 04:23 AM

Dns-operations member admin is online now

User

#20

17-07-2010 05:59 AM

Dns-operations member admin is online now

User

Page 1 of 1

NewsArc Lists | Culture Pages | Computing Archive | Media-Pages

Link to this page on your blog or website by copying the HTML code below and pasting it into your site:

Next Thread »