John R Levine jo...@taugh.com wrote:
This happens in China (on CERNET I believe): there are a set of root
mirrors that hijack most (but not all) of the root IPs. As far as we
can tell, the servers are legitimate, returning the proper responses,
except that the mirror servers don't
George Michaelson g...@algebras.org wrote:
Given the behaviour of unknown algorithm, if the anycast node signs with an
algoritm they can guarantee you don't understand, how did you know DNSSEC
was turned off silently?
Because your trust anchor says the root zone MUST be signed with a
Greetings again. Based on some great input from Evan Hunt, we have updated our
draft. The algorithm is both simpler and easier to configure. In fact, we have
examples of how to configure BIND and Unbound/NSD to match the new spec.
We'll be talking about the new draft in today's meeting.
--Paul
This sounded good until Note that using this configuration will cause the
recursive resolver to fail if the local root zone server fails. Could I
use forward first instead of static-stub so that it would fall back to
the normal root servers if the local root server could not get zone
transfers or
On Tue, Nov 11, 2014 at 2:15 PM, Evan Hunt e...@isc.org wrote:
This sounded good until Note that using this configuration will cause
the
recursive resolver to fail if the local root zone server fails. Could I
use forward first instead of static-stub so that it would fall back
to
the
Does anyone know how Spartacus
(draft-dickson-dnsop-spartacus-{lang,system}, on the agenda for today)
handles new record types that may be invented tomorrow? I find nothing
in the drafts, which describe the JSON structure for today's record
types, but not for future types.
Paul Hoffman paul.hoff...@vpnc.org wrote:
Greetings again. Based on some great input from Evan Hunt, we have
updated our draft. The algorithm is both simpler and easier to
configure. In fact, we have examples of how to configure BIND and
Unbound/NSD to match the new spec.
I have been running
On Tue, Nov 11, 2014 at 02:43:02PM -0500, Bob Harold wrote:
Thanks, but what about the case where the zone transfers are refused and
the root zone expires? My server is still running, but cannot answer for
the root zone. That's a case where I want it to fail over to the real
roots.
If the
On Tue, Nov 11, 2014 at 06:14:44PM -0500, Andrew Sullivan wrote:
But my point is that it's a different zone. Once you allow for the
possibility that an apex record could change in this zone, why not
change other records too?
Because that's not necessary to address the technical issue this
Meeting materials:
https://datatracker.ietf.org/meeting/91/materials.html#dnsop
Agenda:
https://tools.ietf.org/wg/dnsop/agenda
Follow the bouncing ball….
Suzanne Tim
___
DNSOP mailing list
DNSOP@ietf.org
I'll take a dollar for every query in PTR we take at the ipv4 /8 and Ipv6
/12 level. Thats somewhere around 170,000/sec.
Luckily, you'll all stop before I have the entire western economy in my
pocket, but thats ok. I'll take the cents.. I'll take the millicents...
Seriously: the volume of query
Many SSH servers (by default) reject connections from IP addresses without
PTRs.
This is stupid.
I heard applause during the WG meeting in response to these statements;
sounded like consensus to me. I said I would check that consensus on list.
Thanks,
Lee
Hi,
as I mentioned at the mike:
For those at the IETF-91 I will be hosting a Beach Bof for people that are
interested in working on creating an automated solution to this problem in
as short time as possible.
Send me an email if you are interested
Time: 15:00 @ Thursday
Loaction: TBD
Olafur
PTR checks for ssh on call-in is stupid.
But, putting ssh host keys in the DNS and not having to do that 'are you
sure? are you sure? are you sure?' dance from Father Ted is not stupid.
On Tue, Nov 11, 2014 at 5:48 PM, Lee Howard l...@asgard.org wrote:
Many SSH servers (by default) reject
Tony Finch mailto:d...@dotat.at
Tuesday, November 11, 2014 1:07 PM
...
I thought the idea of validating the zone transfer before putting the zone
live was interesting.
this is something deliberately left out of the dnssec design, because it
doesn't obviate validation by query initiators
On Nov 11, 2014, at 7:50 PM, George Michaelson g...@algebras.org wrote:
But, putting ssh host keys in the DNS and not having to do that 'are you
sure? are you sure? are you sure?' dance from Father Ted is not stupid.
Indeed. But that is a completely 'nother thing. :)
Andrew Sullivan mailto:a...@anvilwalrusden.com
Tuesday, November 11, 2014 3:14 PM
On Mon, Nov 10, 2014 at 01:34:05PM -0800, Paul Vixie wrote:
... any RDNS operator who receives advice on how to change their root
hints to use the unowned-anycast root server addresses will also be told
not
17 matches
Mail list logo