[Chapter-delegates] DNSSEC-validating resolvers Re: dnssec as a solution to dns poisoning the national dns infrastructure (.ro)
Eduard Tric
eduard.tric at isoc.ro
Thu Nov 29 11:09:55 PST 2012
Thank You all for your feedback.
Many ISPs here have already deloyed ipv6/dnssec responders, activated indeed only for the TLDs where it works (.eu ,.com .org .. etc ) .
The yesterday attack was however specific to .ro domains , and it is logical to add .ro in the pool of dnssec-aware domains.
Ed
----- Mesaj original -----
De la: "Dan York" <york at isoc.org>
Către: patrick at vande-walle.eu
cc: "Eduard Tric" <eduard.tric at isoc.ro>, "Peter Koch" <peter at denic.de>, "Delegates Chapter" <chapter-delegates at elists.isoc.org>
Trimis: joi, 29 noiembrie, 2012 20:38:49
Subiect: DNSSEC-validating resolvers Re: [Chapter-delegates] dnssec as a solution to dns poisoning the national dns infrastructure (.ro)
On Nov 29, 2012, at 1:20 PM, Patrick Vande Walle < patrick at vande-walle.eu > wrote:
Hello Ed,
There is nothing that prevents ISPs to deploy DNSSEC-aware resolvers right away, without waiting for Rotld. They would already be able to use DNSSEC for other TLDs than .ro.
This is fairly independent from the signing of the TLD.
Indeed this is VERY true! Once the ISPs deploy DNSSEC-validating DNS resolvers, their users will be able to gain the benefit of validating DNSSEC-signed domains from around the world.
In fact, if you can get a number of the ISPs there to deploy DNSSEC-validating resolvers, it may perhaps bring some pressure on the folks behind .ro. (ex. "Why is it that Romanian users can have a DNSSEC-secured domain in .COM, .ORG, .<whatever>, but they can't have a DNSSEC-signed .RO domain?")
By the way, the folks over at SURFnet put together a great whitepaper about deploying DNSSEC-validating resolvers, including step-by-step instructions for 3 of the common resolvers:
Direct link: http://www.surfnet.nl/Documents/rapport_Deploying_DNSSEC_v20.pdf
My comments: http://www.internetsociety.org/deploy360/resources/deploying-dnssec-validation-on-recursive-caching-name-servers/
Dan
Regards,
Patrick
On 28/11/12 20:40, Eduard Tric wrote:
Dan, Peter,
Thank you for your feedback.
As it has already happened in june with ipv6, Romanian isp's are keen to implement dnssec-aware resolvers ,but cannot do it without Rotld (.ro manager ) cooperation .
Regards,
Ed
--
Dan York
Senior Content Strategist, Internet Society
york at isoc.org +1-802-735-1624
Jabber: york at jabber.isoc.org
Skype: danyork http://twitter.com/danyork
http://www.internetsociety.org/deploy360/
--
--
Eduard Tric ,CEO, Axetel
I encrypt therefore I am.
http://www.axetel.com
eduard at axetel.com
tel: +40740300740
DD;;
DDD;;;
We know, DD :;;
We compute, fD tt
We decode. DD fDf
DDDDDD
DDDD
DD
, DD DD DDDDDD DDDDDD DDDDDD DD
D DD DDD DDDDDD DDDDDD DDDDDD DD
DDi :DDDD DD DD DD DD
DDD DDDD DDDDDD DD DDDDDD DD
DDDDi DDDD DDDDDD DD DDDDDD DD
DD DD tDGDD DD DD DD DD
DDi DD DD fDD DDDDDD DD DDDDDD DDDDDD
DD DD DD DD DDDDDD DD DDDDDD DDDDDG
DD
DDDD
DDDDDD
GD: DD
;; DD
:;; GDf We know
;;;DDD all the codes,
,;DG including yours.
6839f52116af1166f4a01e64ad209459f17ecc995c1456a68c7040072a9a58d6
More information about the Chapter-delegates
mailing list