[122511] in North American Network Operators' Group
RE: in-addr.arpa server problems for europe?
daemon@ATHENA.MIT.EDU (Mark Scholten)
Mon Feb 15 21:14:58 2010
From: "Mark Scholten" <mark@streamservice.nl>
To: <marka@isc.org>
In-Reply-To: <201002152337.o1FNb5mZ098702@drugs.dv.isc.org>
Date: Tue, 16 Feb 2010 03:13:55 +0100
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> -----Original Message-----
> From: marka@isc.org [mailto:marka@isc.org]
> Sent: Tuesday, February 16, 2010 12:37 AM
> To: Mark Scholten
> Cc: 'Tony Finch'; nanog@nanog.org
> Subject: Re: in-addr.arpa server problems for europe?
>
>
> In message <017901caae69$5d9e8770$18db9650$@nl>, "Mark Scholten"
> writes:
> >
> >
> > > -----Original Message-----
> > > From: Tony Finch [mailto:fanf2@hermes.cam.ac.uk] On Behalf Of Tony
> > > Finch
> > > Sent: Monday, February 15, 2010 6:21 PM
> > > To: Mark Scholten
> > > Cc: nanog@nanog.org
> > > Subject: RE: in-addr.arpa server problems for europe?
> > >
> > > On Mon, 15 Feb 2010, Mark Scholten wrote:
> > > >
> > > > I've seen problems that are only there because of DNSSEC, so if
> there
> > > is a
> > > > problem starting with trying to disable DNSSEC could be a good
> idea.
> > > As long
> > > > as not all rootzones are signed I don't see a good reason to use
> > > DNSSEC at
> > > > the moment.
> > >
> > > You realise that two of them are signed now and the rest will be
> signed
> > > by
> > > 1st July?
> > >
> > > Tony.
> >
> > Yes, I realise that. I also realise that not all nameserver software
> can
> > work as it work with DNSSEC. That is also a problem that has to be
> solved
> > and for as far as I know all nameserver software we use support it or
> will
> > support it in the future. As long as it is not supported by all
> nameserver
> > software you can keep problems.
>
> Nameservers that are not DNSSEC aware will not get responses that
> contain DNSSEC records unless a client explicitly requests a DNSSEC
> record type or make a * (ANY) request.
>
> There is no problem to solve. Just a lot of misunderstanding.
>
> That said the majority of nameservers on the planet are DNSSEC aware
> and will request the DNSSEC record to be returned. They will also
> fall back to plain DNS if middleware blocks the response.
As you've understood I need to read something extra about DNSSEC support.
The most things I know about DNSSEC are based on my contacts with software
writers that create nameservers and system administrators maintaining
multiple nameservers. So if I understand it correctly; if a resolver
requests DNSSEC information (together with for example www.domain.tld) and 1
resolver before the AUTH nameserver doesn't have DNSSEC it won't ask/require
DNSSEC? In that case men in the middle attacks are still possible. Also note
that a provider might have multiple resolvers with some using/able to
provide DNSSEC and others without DNSSEC support.
Mark
