[dns-operations] OARC's Open DNSSEC Validating Resolver project
davec at columbia.edu
Wed Nov 5 14:37:29 UTC 2008
On Nov 4, 2008, at 5:03 PM, Duane Wessels wrote:
> OARC is pleased to offer open DNSSEC-validating resolvers that
> anyone can use to experiment with DNSSEC. There are currently three
> different resolvers:
> 220.127.116.11 (running BIND 9)
> 18.104.22.168 (running Unbound)
> 22.214.171.124 (IANA-testbed, running BIND 9)
> You can find further information at
> Many of you might be surprised to hear that OARC is intentionally
> operating an open resolver. We feel that the potential benefits
> outweigh the potential problems and have taken steps to minimize
> abuse. First, queries to the resolvers are rate-limited (currently
> 1 Kbit/s per /24). Second, we are logging all queries and responses
> with full packet capture. If the service is abused, we will have
> a good record of it (which will be interesting by itself) and will
> allow us to take additional measures or re-think the decision to
> have an open resolver.
First of all I would like to say thank you to Duane & OARC for
offering this service. I continuously find OARC & this mailing list a
valuable resource for experimenting & learning how to run DNS better.
I am curious to know more about how you are implementing the rate
limiting & logging.
I also wonder how you're performing key rollover management; this is a
big issue concerning me about changing my own recursive resolvers to
perform DNSSEC validation. Of the seven keys you include as trust
anchors, I haven't been able to find mailing lists for announcing key
rollover for four of them (.museum, .bg, .cz, & .pr, though I
contacted the PR NIC & they said they're currently revamping their
mailing list site). How do you plan on making sure these keys don't
Is there any reason you chose not to include the keys for the reverse
zones published by RIPE (https://www.ripe.net/projects/disi/keys/index.html)?
I'm still trying to find the "dedicated mailing list" they mention
for key rollover announcements (http://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html
). The only thing I've found so far is their generic ripe-list, but
that's a bit more high volume than I'd like when I'm asking my
operations group to subscribe.
Finally, for those of us only running BIND nameservers, is there any
value in including the .br & .cz keys as individual trust anchors
since they're already published in the ISC DLV?
More information about the dns-operations