Kevin Oberman wrote:
Date: Mon, 08 Mar 2010 10:03:26 -0800
From: Michael Sinatra mich...@rancid.berkeley.edu
Sender: bind-users-bounces+oberman=es@lists.isc.org
On 3/7/10 10:46 AM, Danny Mayer wrote:
Autokey is not a cryptographic signature protocol. It *is* a
authentication protocol
On 3/7/10 10:46 AM, Danny Mayer wrote:
Autokey is not a cryptographic signature protocol. It *is* a
authentication protocol for the server only and there are a number of
exchanges that need to be done to complete the authentication of the
server. You cannot compare this with DNSSEC and nothing
Date: Mon, 08 Mar 2010 10:03:26 -0800
From: Michael Sinatra mich...@rancid.berkeley.edu
Sender: bind-users-bounces+oberman=es@lists.isc.org
On 3/7/10 10:46 AM, Danny Mayer wrote:
Autokey is not a cryptographic signature protocol. It *is* a
authentication protocol for the server
Michael Sinatra wrote:
On 02/24/10 01:25, Jonathan de Boyne Pollard wrote:
DNScurve advocates, on the other hand, point out that DNS isn't
encrypted. Well, neither is the phone book. So what?
So the protocol is vulnerable to both local and remote forgery attacks,
just like other
Jonathan de Boyne Pollard wrote:
That's also nothing to do with DNSCurve. You weren't making a DNSCurve
query there. You were simply querying, with an ordinary DNS query, a
proxy DNS server that is under someone else's control and getting the
view of the DNS namespace that that someone else
Joe Baptista wrote:
ORG and GOV and quite a lot of the ccTLD's are DNSSEC compatible, so I
don't actually think it'd be much of a horserace if compatibility is all
you're looking for.
I agree they are both DNSSEC compatible but .GOV has only deployed
DNSSEC in 20% of it's
Stephane Bortzmeyer wrote:
Sam Wilson sam.wil...@ed.ac.uk wrote
Has anyone found any uz5* servers out there yet?
Zero for opendns.com, dnscurve.org, etc.
One:
dempsky.org. 259200 IN NS
uz5p4utwsxu5p3r9xrw0ygddw2hxh7bkhd0vdwtbt92lf058ny1p79.dempsky.org.
* Eugene Crosser:
Right now, as far as I am concerned, the main obstacle to more
widespread adoption on DNSSEC is the lack of procedure to establish
trust between your zone and the TLD.
There's no standard procedure for NS and glue management, either, and
it still seems to work quite well.
* Sam Wilson:
Has anyone found any uz5* servers out there yet?
node.pk, dempsky.org has such name servers. I thought there were
more. Has the magic prefix changed?
--
Florian Weimerfwei...@bfk.de
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100
In article mailman.633.1267090950.21153.bind-us...@lists.isc.org,
Florian Weimer fwei...@bfk.de wrote:
* Sam Wilson:
Has anyone found any uz5* servers out there yet?
node.pk, dempsky.org has such name servers. I thought there were
more. Has the magic prefix changed?
OK. I found none
On Wed, Feb 24, 2010 at 10:23 PM, Alan Clegg acl...@isc.org wrote:
Joe Baptista wrote:
dnssec-enable yes;
and
dnssec-validation yes;
are the defaults since BIND 9.5
How do I turn it off.
Since you edited out the most important part of my post, I'll repeat
On Thu, 25 Feb 2010, Eugene Crosser wrote:
Right now, as far as I am concerned, the main obstacle to more widespread
adoption on DNSSEC is the lack of procedure to establish trust between your zone
and the TLD. Even if my zone is signed, and it's in .org which is signed too, I
have no
Or, if you think you might accidentally sign your zones or configure
trust anchors, you can:
dnssec-enable no;
dnssec-validation no;
OK - so if I do the above - will that prevent my recursive server from doing
DNSSEC if it gets information from a DNSSEC signed zone?
Yes,
On Tue, Feb 23, 2010 at 07:28:48PM -0800,
Michael Sinatra mich...@rancid.berkeley.edu wrote
a message of 34 lines which said:
While I think the OpenDNS people (especially David U., their
founder) have a huge amount of clue, I think they're barking up the
wrong tree here.
On the other hand,
reply below
On Wed, Feb 24, 2010 at 1:06 AM, Evan Hunt e...@isc.org wrote:
I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is
full of wackos. So it is unlikely he will ever be bothered to dance the
IETF RFC jig.
Is there a requirement that Dr. Bernstein must
On Wed, Feb 24, 2010 at 1:13 AM, Michael Sinatra
mich...@rancid.berkeley.edu wrote:
As someone who both signs his production zones and does DNSSEC validation,
I can assure you that DNSSEC works. But you've done as good job as I can
imagine in making the case for DNScurve.
Done.
regards
On 02/24/10 01:25, Jonathan de Boyne Pollard wrote:
DNScurve advocates, on the other hand, point out that DNS isn't
encrypted. Well, neither is the phone book. So what?
So the protocol is vulnerable to both local and remote forgery attacks,
just like other unencrypted protocols
Joe Baptista wrote:
Thats not the case with DNScurve. Again I stress - over 20 billion
requests per day at OpenDNS are DNScurve compatible.The traffic in
DNSSEC is chicken feed compared to DNScurve.
Joe,
The fact that queries hit servers that are DNScurve capable does not
mean that they are
On Tue, 23 Feb 2010, Joe Baptista wrote:
Lets not forget the IETF has had 15 years to secure the DNS. The result is
the DNSSEC abortion. It has failed.
It looks pretty lively to me. DNSSEC has multiple interoperable
implementations, and it will be deployed in the most important zones this
Thats not the case with DNScurve. Again I stress - over 20 billion
requests per day at OpenDNS are DNScurve compatible. The traffic in
DNSSEC is chicken feed compared to DNScurve.
ORG and GOV and quite a lot of the ccTLD's are DNSSEC compatible, so I
don't actually think it'd be much of a
On Wed, 24 Feb 2010, Tony Finch wrote:
On Tue, 23 Feb 2010, Joe Baptista wrote:
Lets not forget the IETF has had 15 years to secure the DNS. The result is
the DNSSEC abortion. It has failed.
It looks pretty lively to me. DNSSEC has multiple interoperable
implementations, and it will be
On Feb 24 2010, Evan Hunt wrote:
Thats not the case with DNScurve. Again I stress - over 20 billion
requests per day at OpenDNS are DNScurve compatible. The traffic in
DNSSEC is chicken feed compared to DNScurve.
ORG and GOV and quite a lot of the ccTLD's are DNSSEC compatible, so I
don't
In article mailman.608.1267031100.21153.bind-us...@lists.isc.org,
Chris Thompson c...@cam.ac.uk wrote:
On Feb 24 2010, Evan Hunt wrote:
Thats not the case with DNScurve. Again I stress - over 20 billion
requests per day at OpenDNS are DNScurve compatible. The traffic in
DNSSEC is
Joe Baptista bapti...@publicroot.org wrote:
Someone else has written the RFC draft - which see http://bit.ly/b5mFkV
That draft has this text, Expires: February 27, 2010 [3 days from
today]. I am not sure what an expiration date means officially on a
draft RFC.
@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of bsfin...@anl.gov
Sent: Wednesday, February 24, 2010 3:49 PM
To: bind-users@lists.isc.org
Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure
DNS
Joe Baptista bapti...@publicroot.org wrote
On Wed, Feb 24, 2010 at 11:33 AM, Evan Hunt e...@isc.org wrote:
Thats not the case with DNScurve. Again I stress - over 20 billion
requests per day at OpenDNS are DNScurve compatible. The traffic in
DNSSEC is chicken feed compared to DNScurve.
ORG and GOV and quite a lot of the ccTLD's
Joe Baptista wrote:
[] I guess that depends on if DNSSEC
is turned on by default in BIND. Incidentally - is it?
dnssec-enable yes;
and
dnssec-validation yes;
are the defaults since BIND 9.5
Serving signed zones requires signed zone data to serve.
Validation
On Wed, Feb 24, 2010 at 10:08 PM, Alan Clegg acl...@isc.org wrote:
dnssec-enable yes;
and
dnssec-validation yes;
are the defaults since BIND 9.5
How do I turn it off.
Thanks
joe
___
bind-users mailing list
bind-users@lists.isc.org
Joe Baptista wrote:
dnssec-enable yes;
and
dnssec-validation yes;
are the defaults since BIND 9.5
How do I turn it off.
Since you edited out the most important part of my post, I'll repeat it
here before I answer your question:
Serving signed zones requires
It's going to be interesting to watch. I guess that depends on if DNSSEC is
turned on by default in BIND. Incidentally - is it?
That depends on what you mean by turned on. The DNSSEC protocol is
enabled, and the DO bit is set in queries, so authoritative servers with
signed data will send it.
On Thu, 25 Feb 2010, Evan Hunt wrote:
It's going to be interesting to watch. I guess that depends on if DNSSEC is
turned on by default in BIND. Incidentally - is it?
That depends on what you mean by turned on. The DNSSEC protocol is
enabled, and the DO bit is set in queries, so authoritative
Now that OpenDNS the largest provider of public DNS supports DNSCurve
http://twitter.com/joebaptista/status/9555178362
Would it be possible to include DNScurve support in bind?
thanks
joe baptista
___
bind-users mailing list
bind-users@lists.isc.org
On 02/23/10 18:31, Joe Baptista wrote:
Now that OpenDNS the largest provider of public DNS supports DNSCurve
http://twitter.com/joebaptista/status/9555178362
Would it be possible to include DNScurve support in bind?
thanks
joe baptista
I'd love to see BIND adopt DNScurve...when it becomes
It would be nice to see it as an RFC. I agree with that. But from what I
know it will be a pretty cold day in hell before it becomes an RFC. I humbly
suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of
wackos. So it is unlikely he will ever be bothered to dance the IETF RFC
I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is
full of wackos. So it is unlikely he will ever be bothered to dance the
IETF RFC jig.
Is there a requirement that Dr. Bernstein must personally do the dancing?
Let someone else write the RFC, if it needs writing.
While
On 02/23/10 19:54, Joe Baptista wrote:
It would be nice to see it as an RFC. I agree with that. But from what I
know it will be a pretty cold day in hell before it becomes an RFC. I
humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is
full of wackos. So it is unlikely he will
36 matches
Mail list logo