, Staff
Subject: Historic Moment - Root zone of the Internet was just signed
minutes ago!!!
Dear Board and Staff,
Now is a historic moment for the Internet, ICANN, IETF, Verisign and
the Dept of Commerce.
The root zone of Internet is now more secure - signed cryptographically
w/ DNSSEC
played a role in deploying
DNSSEC.
Russ Housley
IETF Chair
-- Forwarded Message
From: Rod Beckstrom
Date: Thu, 15 Jul 2010 14:24:38 -0700
To: Rod Beckstrom
Cc: ICANN Board of Directors , Staff
Subject: Historic Moment - Root zone of the Internet was just signed
minutes ago!!!
Dear Board and
On 16 jul 2010, at 14:23, Russ Housley wrote:
> I am passing on this announcement, and I want to add my thanks to
> everyone in the Internet community that played a role in deploying DNSSEC.
Too bad it doesn't work for me.
Here IANA publishes info that needs conversion steps that I don't have to
On Fri, Jul 16, 2010 at 06:35:15PM +0200, Iljitsch van Beijnum wrote:
>
> Here IANA publishes info that needs conversion steps that I don't have tools
> for to perform:
>
> http://data.iana.org/root-anchors/
The key data can be read directly from
http://data.iana.org/root-anchors/root-anchors.x
On 16 jul 2010, at 18:40, Andrew Sullivan wrote:
> Define "works"?
Less of this:
validating @0x82e9000: . DNSKEY: please check the 'trusted-keys' for '.' in
named.conf.
If anyone can point me to a key I can paste in my BIND config that will allow
me to actually validate domains that would be
On Fri, 16 Jul 2010, Iljitsch van Beijnum wrote:
>
> Too bad it doesn't work for me.
BIND's trust anchors are in DNSKEY format, but IANA publishes the root key
in DS format. You can fetch the root DNSKEY using dig, convert it into
a DS using BIND's dnssec-dsfromkey program and compare the result t
On Fri, Jul 16, 2010 at 18:01:20 +0100, Tony Finch wrote:
> On Fri, 16 Jul 2010, Iljitsch van Beijnum wrote:
> >
> > Too bad it doesn't work for me.
>
> BIND's trust anchors are in DNSKEY format, but IANA publishes the root key
> in DS format. You can fetch the root DNSKEY using dig, convert it i
On Fri, 16 Jul 2010, Ronald van der Pol wrote:
>
> I would also like to check the output for a zone that is verifyable not
> correct. Any examples of signed RRs with an incorrect signature?
Have a look at http://www.dnssec-tools.org/testzone/
Tony.
--
f.anthony.n.finchhttp://dotat.at/
SOUTH
On 16 jul 2010, at 19:56, Ronald van der Pol wrote:
>> http://fanf.livejournal.com/107310.html
> Thanks! That was very useful. I finally got it working.
Yes, me too.
> I would also like to check the output for a zone that is verifyable not
> correct. Any examples of signed RRs with an incorrect
On Fri, 16 Jul 2010, Iljitsch van Beijnum wrote:
>
> www.ietf.org, www.iab.org, www.isc.org, all fail to validate.
> Not sure what the deal is there.
The DS record for .org has not yet been added to the root zone so the
chain of trust is broken.
> https://addons.mozilla.org/en-US/firefox/addon/64
On Fri, Jul 16, 2010 at 08:13:46PM +0200, Iljitsch van Beijnum wrote:
> with the result that www.ietf.org, www.iab.org, www.isc.org, all fail to
> validate. Not sure what the deal is there. Only www.nic.cat works. BTW, this
> is great:
>
The deal is that .org doesn't have a DS record in the ro
On Fri, 16 Jul 2010, Tony Finch wrote:
unbound requires trust anchors in DS format which is somewhat more
convenient, though you still have to edit IANA's XML to convert it into
master file format.
You can also use DNSKEY statements in unbound:
~> grep trusted-keys /etc/unbound/unbound.conf
t
On Sat, 17 Jul 2010, Paul Wouters wrote:
> On Fri, 16 Jul 2010, Tony Finch wrote:
>
> > unbound requires trust anchors in DS format which is somewhat more
> > convenient, though you still have to edit IANA's XML to convert it into
> > master file format.
>
> You can also use DNSKEY statements in un
Being able to verify signatures is of no value.
The system only has value when you can act differently according to
whether the signature verifies or not.
I keep asking, but nobody will tell me how I get the keys for my
domains into the TLD.
This is not a trivial issue. There is a question of l
In message , Phil
lip Hallam-Baker writes:
> Being able to verify signatures is of no value.
>
> The system only has value when you can act differently according to
> whether the signature verifies or not.
>
> I keep asking, but nobody will tell me how I get the keys for my
> domains into the TL
In message , Phil
lip Hallam-Baker writes:
> On Tue, Jul 20, 2010 at 12:12 AM, Mark Andrews wrote:
> >
> > In message =
> , Phil
> > lip Hallam-Baker writes:
> >> Being able to verify signatures is of no value.
> >>
> >> The system only has value when you can act differently according to
> >> whe
On 21 jul 2010, at 5:27, Mark Andrews wrote:
> The only keys that have to be widely distributed are those for the
> root zone and that's a similar problem to distributing the list of
> root nameservers and their addresses. Millions of recursives server
> operators have managed that.
Would be gre
On Wed, 21 Jul 2010, Iljitsch van Beijnum wrote:
>
> Would be great if the list of root servers and list of trusted root
> certificates could be distributed in one easy to install file...
At the moment BIND comes with a lot of bootstrapping data compiled in,
including the root hints and the DLV tr
In message , Phil
lip Hallam-Baker writes:
> Mark,
>
> If you didn't know I was right you would have addressed my actual
> argument rather than look for idiotic technical details that have no
> bearing on the issue itself.
>
> Yes, I know what a DS record is technically, and you know that I know
Mark Andrews wrote:
>> If there is going to be an unbroken chain of trust then at some point
>> there has to be a point where the registry signs the domain owner key
>> and it is damned obvious that that is the potential weak link in the
>> chain. I don't want to be more specific that that because
Tony Finch wrote:
> At the moment BIND comes with a lot of bootstrapping data compiled in,
> including the root hints and the DLV trust anchor. I expect that it will
> soon include the root trust anchor too.
which means cryptographic chain of security is expected to be
broken at the root.
Congra
NSSEC
provides a very much higher standard of security and that this is
going to lead to new security failures.
Right, people who say "Historic Moment - Root zone of the Internet
was just signed minutes ago!!!" are easy victims.
> 1) Cancel DNSSEC
>
> Not happening, move on.
On Tue, Jul 20, 2010 at 12:12 AM, Mark Andrews wrote:
>
> In message ,
> Phil
> lip Hallam-Baker writes:
>> Being able to verify signatures is of no value.
>>
>> The system only has value when you can act differently according to
>> whether the signature verifies or not.
>>
>> I keep asking, but
Quite, and completely eliminate the risk of a DDoS attack on the root servers.
Very easy today when the root file is 200 nodes. But what is it going
to be like after ICANN has managed to sell TLDs to everyone in the
F500 and so on?
Might be some interesting fireworks there as 'non-profit' ICANN
c
Mark,
If you didn't know I was right you would have addressed my actual
argument rather than look for idiotic technical details that have no
bearing on the issue itself.
Yes, I know what a DS record is technically, and you know that I know.
And you know that as far as liability is concerned putti
What Mark is saying here is that DNSSEC is not designed to provide
very much security and so does not need to be very secure.
What I am saying is that people are already assuming that DNSSEC
provides a very much higher standard of security and that this is
going to lead to new security failures. R
win this one eh?
Todd Glassey
> -- Forwarded Message
> From: Rod Beckstrom
> Date: Thu, 15 Jul 2010 14:24:38 -0700
> To: Rod Beckstrom
> Cc: ICANN Board of Directors , Staff
>
> Subject: Historic Moment - Root zone of the Internet was just signed
> minutes ago!!!
>
>
27 matches
Mail list logo
