Guys, are you having problems to validate DNSEC using ISC DLV? Regards, -- Marcelo Gardini do Amaral www.spin.blog.br -- $>cd /pub $>more beer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Apr 4, 2009 at 9:55 PM, Marcelo Gardini do Amaral <mgardini@gmail.com> wrote:
Guys,
are you having problems to validate DNSEC using ISC DLV?
No idea, but I did see another reference to this over on the OARC dns-ops list: https://lists.dns-oarc.net/pipermail/dns-operations/2009-April/003726.html - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ2Dzoq1pz9mNUZTMRAvanAKCmR4CF7qVKC8XE9qpsM62EQHbVgQCgh1oO A3pBEoMDGY30bS57WzhfAyQ= =UnS+ -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Paul Ferguson <fergdawgster@gmail.com> writes:
On Sat, Apr 4, 2009 at 9:55 PM, Marcelo Gardini do Amaral <mgardini@gmail.com> wrote:
Guys,
are you having problems to validate DNSEC using ISC DLV?
No idea, but I did see another reference to this over on the OARC dns-ops list:
https://lists.dns-oarc.net/pipermail/dns-operations/2009-April/003726.html
note, this isn't a ddos, so it's probably not related to the other dns ddos events that have been discussed here recently. see also geoff's reply on that thread: Date: Sat, 04 Apr 2009 23:15:55 -0700 From: "Geoffrey Sisson" <geoff@geoff.co.uk> To: dns-operations@lists.dns-oarc.net Subject: Re: [dns-operations] ISC DLV broken? Sender: dns-operations-bounces@lists.dns-oarc.net mvn@ucla.edu (Michael Van Norman) wrote:
Starting a bit after 18:00, my home machines starting failing DNSSEC validation using the ISC DLV. ... Are other people seeing this?
Yes, starting at around the same time (PDT). Peter_Losher@isc.org (Peter Losher) wrote:
ISC is aware that there is a issue with lookups against dlv.isc.org and are investigating the cause behind it. You may want to disable DNSSEC validation against dlv.isc.org at this time.
It appears as if the RRSIG RRset returned by the DLV nameservers for "dlv.isc.org" is missing the RRSIG for the KSK, so validation for dlv.isc.org is failing. It _does_ contain the RRSIG for the ZSK (key id 64263). As a test I tried changing the trusted key to the ZSK, and DLV validation appeared to work correctly. This is, of course, not a recommended work-around. Geoff _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
In message <ca2976fc0904042155h49be9d91yda8df945235c49f3@mail.gmail.com>, Marce lo Gardini do Amaral writes:
Guys,
are you having problems to validate DNSEC using ISC DLV?
Regards,
-- Marcelo Gardini do Amaral www.spin.blog.br
The fault has been rectified. We are still looking into the underlying cause and what procedural changes need to be made to prevent a repeat occurance. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
On Sun, Apr 05, 2009 at 07:37:15PM +1000, Mark Andrews wrote:
The fault has been rectified. We are still looking into the underlying cause and what procedural changes need to be made to prevent a repeat occurance.
Mark Andrews, ISC
could ISC be a bit more open and transparent on what the underlying cause was, the path/steps between cause and effect, and the range of options/choices for mitigation and why the one chosen (presuming it was a procedural issue) was/is the best choice. --bill
On Apr 5, 2009, at 12:09 AM, bmanning@vacation.karoshi.com wrote:
On Sun, Apr 05, 2009 at 07:37:15PM +1000, Mark Andrews wrote:
The fault has been rectified. We are still looking into the underlying cause and what procedural changes need to be made to prevent a repeat occurance.
Mark Andrews, ISC
could ISC be a bit more open and transparent on what the underlying cause was, the path/steps between cause and effect, and the range of options/choices for mitigation and why the one chosen (presuming it was a procedural issue) was/is the best choice.
You should definitely demand your money back. Given the root servers don't provide this level of accountability, not sure why you think ISC should. Stuff happens. If you've chosen to share fate with ISC for name resolution via DLV, then you should accept that it does and anticipate these sorts of outages. I'm sure the folks at ISC will attempt to minimize reoccurrence. Regards, -drc
On Sun, Apr 05, 2009 at 06:19:35AM -1000, David Conrad wrote:
On Apr 5, 2009, at 12:09 AM, bmanning@vacation.karoshi.com wrote:
On Sun, Apr 05, 2009 at 07:37:15PM +1000, Mark Andrews wrote:
The fault has been rectified. We are still looking into the underlying cause and what procedural changes need to be made to prevent a repeat occurance.
Mark Andrews, ISC
could ISC be a bit more open and transparent on what the underlying cause was, the path/steps between cause and effect, and the range of options/choices for mitigation and why the one chosen (presuming it was a procedural issue) was/is the best choice.
You should definitely demand your money back. Given the root servers don't provide this level of accountability, not sure why you think ISC should.
i think I shall.. as far as I can tell, the root server operators have never claimed their services/operations are open & transparent. ISC (well Paul on behalf of ISC) has claimed they are open and transparent.
Stuff happens. If you've chosen to share fate with ISC for name resolution via DLV, then you should accept that it does and anticipate these sorts of outages. I'm sure the folks at ISC will attempt to minimize reoccurrence.
in fact it does. that does not negate the desire to know -WHY- stuff happens - a few of us are less than happy with a "it was broke, we fixed it, we'll try not to let it happen again" explaination. in this regard, I have been very impressed with Rich's documentation of the IANA alternate root. the processes are well documented and clear ... and to date, he's been pretty responsive when hicups occur and provides prompt feedback.
Regards, -drc
David Conrad <drc@virtualized.org> writes:
... I'm sure the folks at ISC will attempt to minimize reoccurrence.
yes. though with two outages in the last month, some early DLV adopters might be getting a bit nervous. as with DNSSEC itself when folks first started turning it on a few years ago, the failure codepaths for DLV are inevitably not as well oiled as the success codepaths. (we're on it.) -- Paul Vixie
participants (7)
-
bmanning@vacation.karoshi.com
-
David Conrad
-
Jeffrey Ollie
-
Marcelo Gardini do Amaral
-
Mark Andrews
-
Paul Ferguson
-
Paul Vixie