nanog mailing list archives

RE: in-addr.arpa server problems for europe?

From: "Mark Scholten" <mark () streamservice nl>
Date: Tue, 16 Feb 2010 03:13:55 +0100

-----Original Message-----
From: marka () isc org [mailto:marka () isc org]
Sent: Tuesday, February 16, 2010 12:37 AM
To: Mark Scholten
Cc: 'Tony Finch'; nanog () nanog org
Subject: Re: in-addr.arpa server problems for europe?


In message <017901caae69$5d9e8770$18db9650$@nl>, "Mark Scholten"
writes:

-----Original Message-----
From: Tony Finch [mailto:fanf2 () hermes cam ac uk] On Behalf Of Tony
Finch
Sent: Monday, February 15, 2010 6:21 PM
To: Mark Scholten
Cc: nanog () nanog org
Subject: RE: in-addr.arpa server problems for europe?

On Mon, 15 Feb 2010, Mark Scholten wrote:


I've seen problems that are only there because of DNSSEC, so if

there

is a

problem starting with trying to disable DNSSEC could be a good

idea.

As long

as not all rootzones are signed I don't see a good reason to use

DNSSEC at

the moment.


You realise that two of them are signed now and the rest will be

signed

by
1st July?

Tony.


Yes, I realise that. I also realise that not all nameserver software

can

work as it work with DNSSEC. That is also a problem that has to be

solved

and for as far as I know all nameserver software we use support it or

will

support it in the future. As long as it is not supported by all

nameserver

software you can keep problems.


Nameservers that are not DNSSEC aware will not get responses that
contain DNSSEC records unless a client explicitly requests a DNSSEC
record type or make a * (ANY) request.

There is no problem to solve.  Just a lot of misunderstanding.

That said the majority of nameservers on the planet are DNSSEC aware
and will request the DNSSEC record to be returned.  They will also
fall back to plain DNS if middleware blocks the response.


As you've understood I need to read something extra about DNSSEC support.
The most things I know about DNSSEC are based on my contacts with software
writers that create nameservers and system administrators maintaining
multiple nameservers. So if I understand it correctly; if a resolver
requests DNSSEC information (together with for example www.domain.tld) and 1
resolver before the AUTH nameserver doesn't have DNSSEC it won't ask/require
DNSSEC? In that case men in the middle attacks are still possible. Also note
that a provider might have multiple resolvers with some using/able to
provide DNSSEC and others without DNSSEC support.

Mark

Current thread:

Re: in-addr.arpa server problems for europe?, (continued)
- - - Re: in-addr.arpa server problems for europe? Stephane Bortzmeyer (Feb 15)
    - Re: in-addr.arpa server problems for europe? Michelle Sullivan (Feb 15)
  - RE: in-addr.arpa server problems for europe? Mark Scholten (Feb 15)
    - Re: in-addr.arpa server problems for europe? Stephane Bortzmeyer (Feb 15)
    - RE: in-addr.arpa server problems for europe? Mark Scholten (Feb 15)
    - RE: in-addr.arpa server problems for europe? Tony Finch (Feb 15)
    - Re: in-addr.arpa server problems for europe? Seth Mattinen (Feb 15)
    - Re: in-addr.arpa server problems for europe? Steven Bellovin (Feb 15)
    - RE: in-addr.arpa server problems for europe? Mark Scholten (Feb 15)
    - Re: in-addr.arpa server problems for europe? Mark Andrews (Feb 15)
    - RE: in-addr.arpa server problems for europe? Mark Scholten (Feb 15)
    - Re: in-addr.arpa server problems for europe? Mark Andrews (Feb 15)
    - Re: in-addr.arpa server problems for europe? Joly MacFie (Feb 15)
  - Re: in-addr.arpa server problems for europe? Florian Weimer (Feb 15)
    - Re: in-addr.arpa server problems for europe? Mark Andrews (Feb 15)
    - Re: in-addr.arpa server problems for europe? Mark Andrews (Feb 15)
    - Re: in-addr.arpa server problems for europe? Michelle Sullivan (Feb 15)