DNSSEC and Geodns
Nothing's ever easy, is it? So I got pdns up and going this afternoon with it's geo back end. It's working as expected and everything is good. The problem is pdns's dnssec implementation is... not particularly mature or really even usable AFAIK with geodns. Anyone out there doing both geo location and dnssec with their name servers? -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath wrote: > Nothing's ever easy, is it? > > So I got pdns up and going this afternoon with it's geo back end. It's > working as expected and everything is good. The problem is pdns's dnssec > implementation is... not particularly mature or really even usable AFAIK > with geodns. > > Anyone out there doing both geo location and dnssec with their name > servers? Not really. Most places I know do not do dns-sec (either waiting until .com/.org is signed or until its required) or if they are doing dns-sec aren't doing geoip. The solutions that comes to mind would be to have the geoip code in an unsigned sub-zone. Its not great but until 2011 I don't see it being much better. > -Mike > > ___ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > -- Stephen J Smoogen. Ah, but a man's reach should exceed his grasp. Or what's a heaven for? -- Robert Browning ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Fri, 20 Nov 2009, Stephen John Smoogen wrote: > On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath wrote: > > Nothing's ever easy, is it? > > > > So I got pdns up and going this afternoon with it's geo back end. It's > > working as expected and everything is good. The problem is pdns's dnssec > > implementation is... not particularly mature or really even usable AFAIK > > with geodns. > > > > Anyone out there doing both geo location and dnssec with their name > > servers? > > Not really. Most places I know do not do dns-sec (either waiting until > .com/.org is signed or until its required) or if they are doing > dns-sec aren't doing geoip. The solutions that comes to mind would be > to have the geoip code in an unsigned sub-zone. Its not great but > until 2011 I don't see it being much better. > Ugh, I really don't want to have to choose, nb did great work with getting dnssec going. -Mike___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath wrote: > On Fri, 20 Nov 2009, Stephen John Smoogen wrote: > >> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath wrote: >> > Nothing's ever easy, is it? >> > >> > So I got pdns up and going this afternoon with it's geo back end. It's >> > working as expected and everything is good. The problem is pdns's dnssec >> > implementation is... not particularly mature or really even usable AFAIK >> > with geodns. >> > >> > Anyone out there doing both geo location and dnssec with their name >> > servers? >> >> Not really. Most places I know do not do dns-sec (either waiting until >> .com/.org is signed or until its required) or if they are doing >> dns-sec aren't doing geoip. The solutions that comes to mind would be >> to have the geoip code in an unsigned sub-zone. Its not great but >> until 2011 I don't see it being much better. >> > > Ugh, I really don't want to have to choose, nb did great work with getting > dnssec going. I would only do it for a subzone and not for the main one. Basically have ns1/ns2 have the signed zones and the subzones on another one. -- Stephen J Smoogen. Ah, but a man's reach should exceed his grasp. Or what's a heaven for? -- Robert Browning ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Sat, Nov 21, 2009 at 1:18 PM, Stephen John Smoogen wrote: > On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath wrote: >> On Fri, 20 Nov 2009, Stephen John Smoogen wrote: >> >>> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath wrote: >>> > Nothing's ever easy, is it? >>> > >>> > So I got pdns up and going this afternoon with it's geo back end. It's >>> > working as expected and everything is good. The problem is pdns's dnssec >>> > implementation is... not particularly mature or really even usable AFAIK >>> > with geodns. >>> > >>> > Anyone out there doing both geo location and dnssec with their name >>> > servers? >>> >>> Not really. Most places I know do not do dns-sec (either waiting until >>> .com/.org is signed or until its required) or if they are doing >>> dns-sec aren't doing geoip. The solutions that comes to mind would be >>> to have the geoip code in an unsigned sub-zone. Its not great but >>> until 2011 I don't see it being much better. >>> >> >> Ugh, I really don't want to have to choose, nb did great work with getting >> dnssec going. > > I would only do it for a subzone and not for the main one. Basically > have ns1/ns2 have the signed zones and the subzones on another one. Surely this is going to increase the time needed for clients to perform DNS lookups on the content we got GEO-Located (i.e. fedoraproject.org/admin.fedoraproject.org) - Nigel ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Fri, Nov 20, 2009 at 8:27 PM, Nigel Jones wrote: > On Sat, Nov 21, 2009 at 1:18 PM, Stephen John Smoogen > wrote: >> On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath wrote: >>> Ugh, I really don't want to have to choose, nb did great work with getting >>> dnssec going. >> >> I would only do it for a subzone and not for the main one. Basically >> have ns1/ns2 have the signed zones and the subzones on another one. > Surely this is going to increase the time needed for clients to > perform DNS lookups on the content we got GEO-Located (i.e. > fedoraproject.org/admin.fedoraproject.org) Usually the time is really pretty small. > - Nigel > > ___ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > -- Stephen J Smoogen. Ah, but a man's reach should exceed his grasp. Or what's a heaven for? -- Robert Browning ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Fri, Nov 20, 2009 at 4:09 PM, Mike McGrath wrote: > Nothing's ever easy, is it? > > So I got pdns up and going this afternoon with it's geo back end. It's > working as expected and everything is good. The problem is pdns's dnssec > implementation is... not particularly mature or really even usable AFAIK > with geodns. > > Anyone out there doing both geo location and dnssec with their name > servers? Hmm... not sure if this rates as a 'clever' or 'ugly' hack: http://phix.me/geodns/ -- Jeff Ollie ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Fri, 20 Nov 2009, Stephen John Smoogen wrote: > On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath wrote: > > On Fri, 20 Nov 2009, Stephen John Smoogen wrote: > > > >> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath wrote: > >> > Nothing's ever easy, is it? > >> > > >> > So I got pdns up and going this afternoon with it's geo back end. It's > >> > working as expected and everything is good. The problem is pdns's dnssec > >> > implementation is... not particularly mature or really even usable AFAIK > >> > with geodns. > >> > > >> > Anyone out there doing both geo location and dnssec with their name > >> > servers? > >> > >> Not really. Most places I know do not do dns-sec (either waiting until > >> .com/.org is signed or until its required) or if they are doing > >> dns-sec aren't doing geoip. The solutions that comes to mind would be > >> to have the geoip code in an unsigned sub-zone. Its not great but > >> until 2011 I don't see it being much better. > >> > > > > Ugh, I really don't want to have to choose, nb did great work with getting > > dnssec going. > > I would only do it for a subzone and not for the main one. Basically > have ns1/ns2 have the signed zones and the subzones on another one. > So, for example 'fedoraproject.org' wouldn't be signed, but 'us.fedoraproject.org' would be? I *think* that's possible but I haven't gotten it to work. If I can get that to work though I guess that makes sense because A) it'd work for now and B) I'm sure over time pdns's dnssec will continue to mature. -Mike___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Fri, 20 Nov 2009, Mike McGrath wrote: > On Fri, 20 Nov 2009, Stephen John Smoogen wrote: > > > On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath wrote: > > > On Fri, 20 Nov 2009, Stephen John Smoogen wrote: > > > > > >> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath > > >> wrote: > > >> > Nothing's ever easy, is it? > > >> > > > >> > So I got pdns up and going this afternoon with it's geo back end. It's > > >> > working as expected and everything is good. The problem is pdns's > > >> > dnssec > > >> > implementation is... not particularly mature or really even usable > > >> > AFAIK > > >> > with geodns. > > >> > > > >> > Anyone out there doing both geo location and dnssec with their name > > >> > servers? > > >> > > >> Not really. Most places I know do not do dns-sec (either waiting until > > >> .com/.org is signed or until its required) or if they are doing > > >> dns-sec aren't doing geoip. The solutions that comes to mind would be > > >> to have the geoip code in an unsigned sub-zone. Its not great but > > >> until 2011 I don't see it being much better. > > >> > > > > > > Ugh, I really don't want to have to choose, nb did great work with getting > > > dnssec going. > > > > I would only do it for a subzone and not for the main one. Basically > > have ns1/ns2 have the signed zones and the subzones on another one. > > > > So, for example 'fedoraproject.org' wouldn't be signed, but > 'us.fedoraproject.org' would be? I *think* that's possible but I haven't > gotten it to work. If I can get that to work though I guess that makes > sense because A) it'd work for now and B) I'm sure over time pdns's dnssec > will continue to mature. > I should explain this to people not familiar with pdns with the geo backend (as I was unfamiliar about 12 hours ago :) right now I've got powerdns to literally pull from our normal bind configs (with a few modifications). pdns uses this for most of it's data. But the geo ip lookups would happen prior to the bind lookups and the way it's setup now would return a cname. So, depending on where you are located and how we set things up. 'fedoraproject.org' would point to us.fedoraproject.org or de.fedoraproject.org or maybe even na or eu.fedoraproject.org. AFAIK, that cname can't be signed with the way pdns currently works. *however* I think what the cname points to could be signed. I'm not sure if this completely bypasses what dnssec would get us or not but I suspect it's the a record signings that are the most important. Thoughts? -Mike___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Fri, Nov 20, 2009 at 9:09 PM, Mike McGrath wrote: > On Fri, 20 Nov 2009, Stephen John Smoogen wrote: > >> On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath wrote: >> > On Fri, 20 Nov 2009, Stephen John Smoogen wrote: >> > >> >> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath wrote: >> >> > Nothing's ever easy, is it? >> >> > >> >> > So I got pdns up and going this afternoon with it's geo back end. It's >> >> > working as expected and everything is good. The problem is pdns's >> >> > dnssec >> >> > implementation is... not particularly mature or really even usable >> >> > AFAIK >> >> > with geodns. >> >> > >> >> > Anyone out there doing both geo location and dnssec with their name >> >> > servers? >> >> >> >> Not really. Most places I know do not do dns-sec (either waiting until >> >> .com/.org is signed or until its required) or if they are doing >> >> dns-sec aren't doing geoip. The solutions that comes to mind would be >> >> to have the geoip code in an unsigned sub-zone. Its not great but >> >> until 2011 I don't see it being much better. >> >> >> > >> > Ugh, I really don't want to have to choose, nb did great work with getting >> > dnssec going. >> >> I would only do it for a subzone and not for the main one. Basically >> have ns1/ns2 have the signed zones and the subzones on another one. >> > > So, for example 'fedoraproject.org' wouldn't be signed, but > 'us.fedoraproject.org' would be? I *think* that's possible but I haven't > gotten it to work. If I can get that to work though I guess that makes > sense because A) it'd work for now and B) I'm sure over time pdns's dnssec > will continue to mature. I meant more like fedoraproject.org would be signed xxx.mirrors.fedoraproject.org wouldn't be. But now I see that doens't cover the items we have. -- Stephen J Smoogen. Ah, but a man's reach should exceed his grasp. Or what's a heaven for? -- Robert Browning ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath wrote: > > So, for example 'fedoraproject.org' wouldn't be signed, but > 'us.fedoraproject.org' would be? I *think* that's possible but I haven't > gotten it to work. If I can get that to work though I guess that makes > sense because A) it'd work for now and B) I'm sure over time pdns's dnssec > will continue to mature. No, that wouldn't really work, because then you couldn't trust lookups from the fedoraproject.org zone, which would include delegations to the subdomains, the main website itself, MX records, etc. -- Jeff Ollie ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Fri, 20 Nov 2009, Jeffrey Ollie wrote: > On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath wrote: > > > > So, for example 'fedoraproject.org' wouldn't be signed, but > > 'us.fedoraproject.org' would be? I *think* that's possible but I haven't > > gotten it to work. If I can get that to work though I guess that makes > > sense because A) it'd work for now and B) I'm sure over time pdns's dnssec > > will continue to mature. > > No, that wouldn't really work, because then you couldn't trust lookups > from the fedoraproject.org zone, which would include delegations to > the subdomains, the main website itself, MX records, etc. > But if fedoraproject.org pointed to some place that wasn't signed or was signed incorrectly, wouldn't that fail? -Mike___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath wrote: > On Fri, 20 Nov 2009, Jeffrey Ollie wrote: > >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath wrote: >> > >> > So, for example 'fedoraproject.org' wouldn't be signed, but >> > 'us.fedoraproject.org' would be? I *think* that's possible but I haven't >> > gotten it to work. If I can get that to work though I guess that makes >> > sense because A) it'd work for now and B) I'm sure over time pdns's dnssec >> > will continue to mature. >> >> No, that wouldn't really work, because then you couldn't trust lookups >> from the fedoraproject.org zone, which would include delegations to >> the subdomains, the main website itself, MX records, etc. >> > > But if fedoraproject.org pointed to some place that wasn't signed or was > signed incorrectly, wouldn't that fail? fedoraproject.org can't be a CNAME because it has other records like MX, NS, SOA, etc. We'd have to switch to using 'www.fedoraproject.org' which could be a CNAME into an unsigned subzone. But then you'd still have the problem of relying on an unsigned zone serving up DNS data, eventually no one is going to trust it. -- Jeff Ollie ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
On Fri, 20 Nov 2009, Jeffrey Ollie wrote: > On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath wrote: > > On Fri, 20 Nov 2009, Jeffrey Ollie wrote: > > > >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath wrote: > >> > > >> > So, for example 'fedoraproject.org' wouldn't be signed, but > >> > 'us.fedoraproject.org' would be? I *think* that's possible but I haven't > >> > gotten it to work. If I can get that to work though I guess that makes > >> > sense because A) it'd work for now and B) I'm sure over time pdns's > >> > dnssec > >> > will continue to mature. > >> > >> No, that wouldn't really work, because then you couldn't trust lookups > >> from the fedoraproject.org zone, which would include delegations to > >> the subdomains, the main website itself, MX records, etc. > >> > > > > But if fedoraproject.org pointed to some place that wasn't signed or was > > signed incorrectly, wouldn't that fail? > > fedoraproject.org can't be a CNAME because it has other records like > MX, NS, SOA, etc. We'd have to switch to using > 'www.fedoraproject.org' which could be a CNAME into an unsigned > subzone. > > But then you'd still have the problem of relying on an unsigned zone > serving up DNS data, eventually no one is going to trust it. > At this very moment, what is dnssec buying us? -Mike___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
At the moment? Nothing. On 21/11/2009, Mike McGrath wrote: > On Fri, 20 Nov 2009, Jeffrey Ollie wrote: > >> On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath >> wrote: >> > On Fri, 20 Nov 2009, Jeffrey Ollie wrote: >> > >> >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath >> >> wrote: >> >> > >> >> > So, for example 'fedoraproject.org' wouldn't be signed, but >> >> > 'us.fedoraproject.org' would be? I *think* that's possible but I >> >> > haven't >> >> > gotten it to work. If I can get that to work though I guess that >> >> > makes >> >> > sense because A) it'd work for now and B) I'm sure over time pdns's >> >> > dnssec >> >> > will continue to mature. >> >> >> >> No, that wouldn't really work, because then you couldn't trust lookups >> >> from the fedoraproject.org zone, which would include delegations to >> >> the subdomains, the main website itself, MX records, etc. >> >> >> > >> > But if fedoraproject.org pointed to some place that wasn't signed or was >> > signed incorrectly, wouldn't that fail? >> >> fedoraproject.org can't be a CNAME because it has other records like >> MX, NS, SOA, etc. We'd have to switch to using >> 'www.fedoraproject.org' which could be a CNAME into an unsigned >> subzone. >> >> But then you'd still have the problem of relying on an unsigned zone >> serving up DNS data, eventually no one is going to trust it. >> > > At this very moment, what is dnssec buying us? > > -Mike -- Sent from my mobile device -- Nigel Jones ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DNSSEC and Geodns
Actually it does buy us some trust but as the roots aren't signed it's fairly moot. On 21/11/2009, Nigel Jones wrote: > At the moment? Nothing. > > On 21/11/2009, Mike McGrath wrote: >> On Fri, 20 Nov 2009, Jeffrey Ollie wrote: >> >>> On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath >>> wrote: >>> > On Fri, 20 Nov 2009, Jeffrey Ollie wrote: >>> > >>> >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath >>> >> wrote: >>> >> > >>> >> > So, for example 'fedoraproject.org' wouldn't be signed, but >>> >> > 'us.fedoraproject.org' would be? I *think* that's possible but I >>> >> > haven't >>> >> > gotten it to work. If I can get that to work though I guess that >>> >> > makes >>> >> > sense because A) it'd work for now and B) I'm sure over time pdns's >>> >> > dnssec >>> >> > will continue to mature. >>> >> >>> >> No, that wouldn't really work, because then you couldn't trust >>> >> lookups >>> >> from the fedoraproject.org zone, which would include delegations to >>> >> the subdomains, the main website itself, MX records, etc. >>> >> >>> > >>> > But if fedoraproject.org pointed to some place that wasn't signed or >>> > was >>> > signed incorrectly, wouldn't that fail? >>> >>> fedoraproject.org can't be a CNAME because it has other records like >>> MX, NS, SOA, etc. We'd have to switch to using >>> 'www.fedoraproject.org' which could be a CNAME into an unsigned >>> subzone. >>> >>> But then you'd still have the problem of relying on an unsigned zone >>> serving up DNS data, eventually no one is going to trust it. >>> >> >> At this very moment, what is dnssec buying us? >> >> -Mike > > -- > Sent from my mobile device > > -- Nigel Jones > -- Sent from my mobile device -- Nigel Jones ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list