in-addr.arpa server problems for europe?

Mark Scholten mark at streamservice.nl
Mon Feb 15 20:13:55 CST 2010


> -----Original Message-----
> From: marka at isc.org [mailto:marka at isc.org]
> Sent: Tuesday, February 16, 2010 12:37 AM
> To: Mark Scholten
> Cc: 'Tony Finch'; nanog at nanog.org
> Subject: Re: in-addr.arpa server problems for europe?
> 
> 
> In message <[email protected]>, "Mark Scholten"
> writes:
> >
> >
> > > -----Original Message-----
> > > From: Tony Finch [mailto:fanf2 at hermes.cam.ac.uk] On Behalf Of Tony
> > > Finch
> > > Sent: Monday, February 15, 2010 6:21 PM
> > > To: Mark Scholten
> > > Cc: nanog at nanog.org
> > > Subject: RE: in-addr.arpa server problems for europe?
> > >
> > > On Mon, 15 Feb 2010, Mark Scholten wrote:
> > > >
> > > > I've seen problems that are only there because of DNSSEC, so if
> there
> > > is a
> > > > problem starting with trying to disable DNSSEC could be a good
> idea.
> > > As long
> > > > as not all rootzones are signed I don't see a good reason to use
> > > DNSSEC at
> > > > the moment.
> > >
> > > You realise that two of them are signed now and the rest will be
> signed
> > > by
> > > 1st July?
> > >
> > > Tony.
> >
> > Yes, I realise that. I also realise that not all nameserver software
> can
> > work as it work with DNSSEC. That is also a problem that has to be
> solved
> > and for as far as I know all nameserver software we use support it or
> will
> > support it in the future. As long as it is not supported by all
> nameserver
> > software you can keep problems.
> 
> Nameservers that are not DNSSEC aware will not get responses that
> contain DNSSEC records unless a client explicitly requests a DNSSEC
> record type or make a * (ANY) request.
> 
> There is no problem to solve.  Just a lot of misunderstanding.
> 
> That said the majority of nameservers on the planet are DNSSEC aware
> and will request the DNSSEC record to be returned.  They will also
> fall back to plain DNS if middleware blocks the response.

As you've understood I need to read something extra about DNSSEC support.
The most things I know about DNSSEC are based on my contacts with software
writers that create nameservers and system administrators maintaining
multiple nameservers. So if I understand it correctly; if a resolver
requests DNSSEC information (together with for example www.domain.tld) and 1
resolver before the AUTH nameserver doesn't have DNSSEC it won't ask/require
DNSSEC? In that case men in the middle attacks are still possible. Also note
that a provider might have multiple resolvers with some using/able to
provide DNSSEC and others without DNSSEC support.

Mark





More information about the NANOG mailing list