[dns-operations] OARC's Open DNSSEC Validating Resolver project

David Coulthart davec at columbia.edu
Wed Nov 5 14:37:29 UTC 2008

On Nov 4, 2008, at 5:03 PM, Duane Wessels wrote:
> OARC is pleased to offer open DNSSEC-validating resolvers that
> anyone can use to experiment with DNSSEC.  There are currently three
> different resolvers:
> (running BIND 9)
> (running Unbound)
> (IANA-testbed, running BIND 9)
> You can find further information at
> https://www.dns-oarc.net/oarc/services/odvr
> Many of you might be surprised to hear that OARC is intentionally
> operating an open resolver.  We feel that the potential benefits
> outweigh the potential problems and have taken steps to minimize
> abuse.  First, queries to the resolvers are rate-limited (currently
> 1 Kbit/s per /24).  Second, we are logging all queries and responses
> with full packet capture.  If the service is abused, we will have
> a good record of it (which will be interesting by itself) and will
> allow us to take additional measures or re-think the decision to
> have an open resolver.

First of all I would like to say thank you to Duane & OARC for  
offering this service.  I continuously find OARC & this mailing list a  
valuable resource for experimenting & learning how to run DNS better.

I am curious to know more about how you are implementing the rate  
limiting & logging.

I also wonder how you're performing key rollover management; this is a  
big issue concerning me about changing my own recursive resolvers to  
perform DNSSEC validation.  Of the seven keys you include as trust  
anchors, I haven't been able to find mailing lists for announcing key  
rollover for four of them (.museum, .bg, .cz, & .pr, though I  
contacted the PR NIC & they said they're currently revamping their  
mailing list site).  How do you plan on making sure these keys don't  

Is there any reason you chose not to include the keys for the reverse  
zones published by RIPE (https://www.ripe.net/projects/disi/keys/index.html)? 
   I'm still trying to find the "dedicated mailing list" they mention  
for key rollover announcements (http://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html 
).  The only thing I've found so far is their generic ripe-list, but  
that's a bit more high volume than I'd like when I'm asking my  
operations group to subscribe.

Finally, for those of us only running BIND nameservers, is there any  
value in including the .br & .cz keys as individual trust anchors  
since they're already published in the ISC DLV?

Dave Coulthart

More information about the dns-operations mailing list