Moin!
On Aug 26, 2008, at 02:15 , Masataka Ohta wrote:
Could you elaborate on how fast converging routing protocols can
be a problem?
Well I believe it was in our case as we did observe some strange
behaviour when starting to test with anycast DNS.
Anycast TCP fails only when route changes
On Thu, Aug 21, 2008 at 01:17:21AM +0200,
Francis Dupont [EMAIL PROTECTED] wrote
a message of 14 lines which said:
it seems T/TCP is dead because of some security issues.
Correct (RFC 4614, section 5) but, unfortunately, these issues were
apparently never properly documented (no T/TCP
Dear colleagues,
On Tue, Aug 26, 2008 at 05:57:52AM +0200, Patrik Fältström wrote:
Personally, I think in this case it is better to for example have a
URI RR (see draft-faltstrom-uri-01.txt) that refer to some XML blob
where the policy is presented.
I should have been clearer. If I were
* Stephane Bortzmeyer:
it seems T/TCP is dead because of some security issues.
Correct (RFC 4614, section 5) but, unfortunately, these issues were
apparently never properly documented (no T/TCP deprecated RFC) and
it is hard to find a reference to a description of these security
problems.
On 26 aug 2008, at 14.23, Andrew Sullivan wrote:
I should have been clearer. If I were to go down this path, the point
of the NAPTR or SRV (or now URI, or whatever other kind of) RR would
actually be just to provide the place to look up the policy (and maybe
how), rather than to provide the
On Tue, Aug 26, 2008 at 02:41:55PM +0200,
Florian Weimer [EMAIL PROTECTED] wrote
a message of 50 lines which said:
I think it's CERT VU#464113,
Other references I've found on T/TCP (in)security:
http://www.mid-way.org/doc/ttcp-sec.txt
http://seclists.org/bugtraq/1998/Apr/0034.html
http://www.gcn.com/online/vol1_no1/46987-1.html
Government agencies must take new measures by January 2009 to ensure
the Domain Name System security extensions on top level .gov Web
site domains are signed, and that processes for securing sub-domains
are developed, according to a memorandum
On Tue, Aug 26, 2008 at 11:26 AM, Paul Hoffman [EMAIL PROTECTED]wrote:
http://www.gcn.com/online/vol1_no1/46987-1.html
Government agencies must take new measures by January 2009 to ensure
the Domain Name System security extensions on top level .gov Web
site domains are signed, and that
On Aug 26, 2008, at 7:03 PM, Joe Baptista wrote:
On Tue, Aug 26, 2008 at 11:26 AM, Paul Hoffman
[EMAIL PROTECTED] wrote:
http://www.gcn.com/online/vol1_no1/46987-1.html
Government agencies must take new measures by January 2009 to ensure
the Domain Name System security extensions on top
On Mon, 25 Aug 2008, Masataka Ohta wrote:
Dean Anderson wrote:
I recently read David Blacka's blog entry on Anycast, where Blacka
asserted that Anycast had to be proven UNstable before anyone should
consider stability questions. Blacka suggests that non-root
operators had no experience
On Sun, 24 Aug 2008, Brian Dickson wrote:
Dean Anderson wrote:
On Sun, 24 Aug 2008, Dean Anderson wrote:
Ok. But when you resign using arbitrary data controlled by the
attacker, the private key can be obtained. [There is a crypto attack on
rekeying] OOPS!!. Rekeying is out of
On Mon, 25 Aug 2008, Ralf Weber wrote:
It should be noted that unicast TCP is unstable if unicast routing
is unstable.
Yes, but TCP usually adapts to the problem while anycast can't, as it
may reach another target.
Large UDP packets (think EDNSO DNSSEC as a good example of large UDP
On Tue, Aug 26, 2008 at 02:44:08PM -0400, Dean Anderson wrote:
I don't think I can give the exact correct mathematics without using a
book--and I don't have my crypto library right now--so I'll try to
armwave a bit:
If you're claiming that, after 10 years and review unto death, people
with
On Sat, 23 Aug 2008, Mark Andrews wrote:
On Fri, 22 Aug 2008, Mark Andrews wrote:
David do you have a nameserver we can bounce queries off
which has the root zone signed as it would be in production?
VeriSign's root DNSSEC testbed is serving a root zone that is not
modified
On Aug 26, 2008, at 12:08 PM, Matt Larson wrote:
Note that the root-servers.net zone as configured on
root.verisignlabs.com is not signed, since the root-servers.net zone
would not be signed, nor would it need to be, if the root were
signed.
Sorry. Perhaps I need more caffeine. Why not?
On Tue, 26 Aug 2008, Roy Arends wrote:
This will be a very interesting experiment. And finally a good test
of DNSSEC. Great for consultants.
Why would this be experimental or test? Why 'finally'. This implies
DNSSEC has not been deployed or been tested 'good' before.
Has DNSSEC been
Moin!
On Aug 26, 2008, at 21:02 , Dean Anderson wrote:
Large UDP packets (think EDNSO DNSSEC as a good example of large UDP
packets almost certain to be fragmented) suffer the same problem, as
they can be fragmented by PMTU discovery. The server (operating
system)
has to maintain UDP state
On Tue, 26 Aug 2008, David Conrad wrote:
On Aug 26, 2008, at 12:08 PM, Matt Larson wrote:
Note that the root-servers.net zone as configured on
root.verisignlabs.com is not signed, since the root-servers.net zone
would not be signed, nor would it need to be, if the root were
signed.
Sorry.
On Tue, 26 Aug 2008, Andrew Sullivan wrote:
On Tue, Aug 26, 2008 at 02:44:08PM -0400, Dean Anderson wrote:
I don't think I can give the exact correct mathematics without using a
book--and I don't have my crypto library right now--so I'll try to
armwave a bit:
If you're claiming that,
On Aug 26, 2008, at 1:06 PM, Dean Anderson wrote:
How could their testing and analysis be considered 'thorough' or
credible when they didn't find the very serious flaws just recently
identified on this list?
To summarize, the two flaws to which you refer are:
(1) there is no cryptographic
Large UDP packets (think EDNSO DNSSEC as a good example of large UDP
packets almost certain to be fragmented) suffer the same problem, as
they can be fragmented by PMTU discovery. The server (operating system)
has to maintain UDP state for PMTUD to work. If the ICMP fragmentation
needed is
On Sat, 23 Aug 2008, Mark Andrews wrote:
On Fri, 22 Aug 2008, Mark Andrews wrote:
David do you have a nameserver we can bounce queries off
which has the root zone signed as it would be in production?
VeriSign's root DNSSEC testbed is serving a root zone that
On Aug 26, 2008, at 1:35 PM, Matt Larson wrote:
On Tue, 26 Aug 2008, David Conrad wrote:
On Aug 26, 2008, at 12:08 PM, Matt Larson wrote:
Note that the root-servers.net zone as configured on
root.verisignlabs.com is not signed, since the root-servers.net zone
would not be signed, nor
On Tue, Aug 26, 2008 at 1:10 PM, Roy Arends [EMAIL PROTECTED] wrote:
This will be a very interesting experiment. And finally a good test of
DNSSEC. Great for consultants.
Why would this be experimental or test? Why 'finally'. This implies DNSSEC
has not been deployed or been tested
24 matches
Mail list logo