DNSSEC, EDNS and TCP
A couple weeks ago I gave a lightning talk at NANOG46 titled DNSSEC, EDNS and TCP using data from before and after the .ORG zone became signed.
DO=1 Queries and small reply size limits at the Root
Recently, the U.S. Department of Commerece, ICANN, and Verisign announced their cooperation to get the DNS Root zone signed by the end of 2009.
Anyone who has had the pleasure of signing a DNS zone knows that the DNSSEC keys and signatures are much larger than most DNS resource records (and not particularly pretty, either).
.ORG now signed with DNSSEC
Today PIR and Afilias jointly announced that the .ORG zone is now signed with DNSSEC.
Like .GOV, .ORG is also using the NSEC3 algorithm, which means that versions of BIND prior to 9.6.0 will have problems securely resolving names under .ORG.
As Ram Mohan of Afilias noted in his message to the dnssec-deployment list, there are still significant hurdles in getting the actual registrations signed. Not many registrars accept DS records from customers yet.
DITL 2009 Data Collection
A Day in the Life of the Internet is a large-scale data collection project undertaken by CAIDA and OARC every year since 2006. This year, the DITL collection will take place in late March took place March 30-April 1, 2009. If you would like to participate by collecting and contributing DNS packet captures, please subscribe to the DITL mailing list.
Participation Requirements
There are no strict participation requirements.IANA's Interim Trust Anchor Repository goes Beta
ICANN announced the IANA Interim Trust Anchor Repository as a not-quite-yet-production service today. The ITAR is useful to people running validating resolvers until the root zone gets signed. It currently includes trust anchors for three ccTLDs (BR, CZ, SE) and the eleven experimental IDN TLDs operated by ICANN.
IANA's policy is to only publish DS records in the ITAR. BIND users won't be able to import the ITAR anchors file directly since BIND currently takes only DNSKEY's as trust anchors.
Request for Data Related to ". IN NS" DDoS Attack
OARC is coordinating collection of DNS packet captures to assist researchers and security groups increase our understanding of some recent DDoS attacks (against ISPrime in particular). We'd like your help.
You can help out by running the following shell script on nameservers that are receiving spoofed queries:
#!/bin/sh # # tcpdump-to-oarc.sh # # This script captures DNS packets related to an ongoing # DDoS attack and uploads them to DNS-OARC. Current # version can be found at https://www.dns-oarc.net/node/171 # You can set FROM to whatever you like.
Upward Referrals Considered Harmful
//-->
//-->
*/
/*-->*/
Note: you can skip ahead to BIND fixes.
Recently the hosting company ISPrime became the victim of a DNS
Recently the hosting company ISPrime became the victim of a DNS
Mr. DNS Lives!
Great news everyone! Matt Larson and Cricket Liu are resurrecting their Ask Mr. DNS advice column as a podcast:
Sadly, after Acme’s acquisition by VeriSign in 2000, Mr. DNS began the downward spiral into dissolution and iniquity so familiar to those in the public eye. When Matt and Cricket tracked Mr.
PowerDNS Server Selection Algorithm
A number of years ago I did some simulations and measurements to show how different DNS resolvers distribute their queries to a set of authoritative servers (see PAM 2004 paper and NANOG29 presentation). At that time I tested BIND, Windows, DJBDNS, and CNS.
Recently someone asked if I know the behavior for PowerDNS.
dig +bufsiz=2048 @b.iana-servers.net XN--9T4B11YI5A RRSIG
//-->
//-->
While working on the TLDmon plugins a couple of weeks ago, I noticed that a certain query to b.iana-servers.net was consistenly failing:
$ dig +bufsiz=2048 @b.iana-servers.net XN--9T4B11YI5A RRSIG ; > DiG 9.3.5-P2 >