Public

warning: Creating default object from empty value in /usr/local/apache2/sites/drupal5/modules/taxonomy/taxonomy.pages.inc on line 33.
Public Stories, etc

Root Zone Archive

With the assistance of its members and friends (especially AFNIC, RIPE, Paul Vixie, Peter Koch and Paul Hoffman) DNS-OARC has assembled a historical archive of the DNS root zone dating back to July 1999. This Root Zone Archive is a part of our larger project, the Zone File Repository.

Root Zone Trends

The following graph shows trends in the contents of the root zone:

Submitted by admin on Mon, 2015-03-16 15:03 categories [ ]

OARC 2015 Spring Workshop (Amsterdam)

DNS-OARC's Spring 2015 Workshop will take place co-located with the RIPE70 meeting at the Hotel Okura in Amsterdam, sponsored by SIDN and Verisign on the 9th and 10th of May.

DNS-OARC Workshop meetings are open to OARC members and to all other parties interested in DNS operations and research, with RIPE attendees particularly welcome this time around. Attendance is free for OARC Members, Speakers and Sponsors. There are charges for other attendees and late registrations.

Submitted by keith on Fri, 2015-03-13 20:02 categories [ ]

DNSDump

DNSdump is a Perl script which capture and displays DNS mesages, much like tcpdump would, but purpose built. However, dnsdump does not currently support DNS over TCP.

DNSdump can be obtained from the Measurement Factory:

http://dns.measurement-factory.com/tools/dnsdump/

Submitted by admin on Fri, 2015-02-06 13:28 categories [ ]

OARC Data Catalog

One of OARC's functions is to collect and archive DNS-related data from its members. This data is available to members for research and operational use. Some of OARC's data is available through the secure member's portal. Other data is available via shell access from a read-only file server.

Members that require access to data must adhere to the guidelines outlined in the OARC Membership and Data Access Agreement.

Real-Time DSC Data

Submitted by admin on Thu, 2014-12-11 20:05 categories [ ]

OARC 2014 AGM Board Election Results

The following candidates were re/elected to the OARC Board for 2-year terms:

  • George Michaelson (APNIC)
  • Ondrej Filip (CZ.NIC)
  • John Crain (ICANN)

OARC welcomes and congratulates the new Board members on their successful election.

We thank the unsuccessful and withdrawn candidates:

  • Don Blumenthal (PIR)

  • Merike Kaeo (IID)
  • Mehmet Akcin (Microsoft)

for their willingness to consider serving on OARC's Board.

We also want to express a special thanks to our outgoing Board members Antoin Verschuren and Matt Pounsett for their years of service and energetic contribution to OARC.

Submitted by keith@ on Mon, 2014-10-13 18:50 categories [ ]

OARC Fall 2014 Workshop (Los Angeles)

DNS-OARC is pleased to announce the agenda for its 2014 Fall Workshop and Member AGM which will take place in Los Angeles, California, USA on the 11th through 13th October.

This will be held in co-operation with the ccNSO Tech Day of the subsequent ICANN51 meeting. The OARC AGM and member-only session will be held on Saturday 11th October, the main workshop on Sunday 12th, and a joint session with ICANN's Tech Day on Monday 13th.

Submitted by keith@ on Wed, 2014-09-24 14:13 categories [ ]

2014 OARC Elections

During the 2014 OARC Annual General Meeting we will be electing three seats on the OARC Board of Directors. The seats becoming available are doing so on the following basis:

  • Existing Board member Antoin Verschuren's (SIDN) two-year term has ended.
    Antoin will not be standing for re-election.
  • Existing Board member Ondrej Filip's (CZ.NIC) two-year term has ended.
    Ondrej will be standing for re-election.
  • Existing Board member John Crain's two-year term has ended. This seat was originally appointed as the Root Operator's representative, but was converted last year to an at-Large elected position, and John is re-standing for election representing ICANN on this new basis.
Submitted by keith on Thu, 2014-09-18 19:59 categories [ ]

2014 OARC Elections and AGM

The DNS-OARC 2014 Annual General Meeting will take place on the 11th of October during a members-only session at the start of OARC's Fall 2014 Workshop, in Los Angeles, California, USA.

In addition to regular AGM business, the OARC Board will be proposing a revised version of the OARC Participation Agreement for member review and approval. Regular rotation of OARC Directors means we also have 3 Board seats to fill by election at this AGM.

Submitted by keith on Tue, 2014-08-26 14:00 categories [ ]

OARC's Open DNSSEC Validating Resolver

7 June 2011 UPDATE: The .de zone is now fully signed and the corresponding DS Resource Record has been added to the root zone, so the testbed redirection has been removed from both resolvers.

4 October 2010 UPDATE: We have now added the .de DNSSEC Testbed to both resolvers.

How To Use ODVR

OARC is pleased to offer dual-stack (as in IPv4 and IPv6), open DNSSEC-validating resolvers ("ODVR") that anyone can use to experiment with DNSSEC. The IP addresses for ODVR nameservers are:

Instance   IPv4   IPv6
BIND 9   149.20.64.20   2001:4f8:3:2bc:1::64:20
Unbound   149.20.64.21   2001:4f8:3:2bc:1::64:21

You might like to manually query the ODVR nameservers with a tool such as dig. Be sure to add the +dnssec option:

$ dig +dnssec @149.20.64.20 iis.se | less

The AD bit in the response flags tells you that the reply data has been validated:

;; flags: qr rd ra ad; ...

Another way to use ODVR is to place the following lines in your Unix /etc/resolv.conf file:

nameserver 149.20.64.20
nameserver 149.20.64.21

Windows users can manually set DNS servers in the Internet Protocol Properties dialog of a network connection.

Finally, the client (such as dig) that you use to test against ODVR should allow you to use this tool by specifying IPv4 or IPv6 options.

Trust Anchors

ODVR has been configured with the following list of trust anchors:

ZoneKey VerifiedPGP Sig Verified
.YESYES
gwnono
iqnono
kynono
lrnono
vcnono
xn--90aisnono
xn--fzc2c9e2cnono
xn--xkc2al3hye2anono

ODVR also validates against ISC's DLV registry.

Data Collection

OARC collects data from the ODVR nameservers and makes this data available to our members for research purposes.

Traffic Graphs

These graphs, updated nightly, show the number of queries received with and without the "DO" bit set, and the number of responses sent with and without the "AD" bit set.

Configuration Files

BIND: UNBOUND:

Frequently Anticipated Questions

Q: Does it mean all my DNS lookups are secure if I use OARC's validating resolvers?

A: No, probably not, for the following reasons:

  1. Most zones are not yet signed. Chances are that, for most of your DNS queries, there will not be any DNSSEC signatures. However, we expect this to improve over time as more and more zones take advantage of DNSSEC.
  2. Most end-user applications (think Web browser) and stub resolvers (a part your computer's operating system) do not yet perform DNSSEC validation. This means that the channel between you and the OARC nameserver is still vulnerable to attack. In other words, security of the DNSSEC transaction is only guaranteed up to the point where the validation has been performed.

Q: Then why are you doing this?

A: A few reasons:

  1. So that you can play with DNSSEC without changing the configuration of your own nameserver.
  2. To convince you that a DNSSEC-validating resolver works almost exactly like a non-validating resolver and that you should go ahead and enable DNSSEC on your own resolvers.
  3. To collect and publish data on adoption of DNSSEC over time.

Q: Can I use ODVR nameservers provide protection from Kaminsky-style spoofing attacks?

A: The answer is complicated and depends on a number of other factors. Generally, this should not be your motivation for using ODVR. If you are stuck using a DNS resolver with poor source port randomization then ODVR may make you more secure. However, a determined attacker could probably spoof answers that appear to come from the ODVR nameservers and give you bad answers.

Q: I thought open resolvers were a bad thing?

A: It's true that open resolvers are usually considered to be a problem and have been used — in combination with source address spoofing — to conduct large-scale DDoS attacks. Such attacks are made possible because (1) there are hundreds of thousands, if not millions, of open resolvers, and (2) their owners/operators are unaware of the openness. The ODVR nameservers are rate-limited and closely monitored. If we have reason to suspect abuse of the ODVR nameservers, we will act quickly to stop it. Please contact the OARC Admin if you have abuse concerns.

Q: Can DNS-OARC members have non-rate-limited access?

A: Absolutely. Write to the OARC Admin to find out how.

Submitted by admin on Sat, 2014-08-09 15:50 categories [ ]

DNS Tools (more...)

DNS-related tools/applications, which are linked to the author's site, or which may be downloaded directly from this site.

Submitted by Anonymous on Wed, 2014-07-30 18:08 categories [ ]