[dns-operations] OARC's Open DNSSEC Validating Resolver project

Duane Wessels wessels at dns-oarc.net
Thu Nov 6 19:27:22 UTC 2008

On Wed, 5 Nov 2008, David Coulthart wrote:

> First of all I would like to say thank you to Duane & OARC for offering this 
> service.  I continuously find OARC & this mailing list a valuable resource 
> for experimenting & learning how to run DNS better.


> I am curious to know more about how you are implementing the rate limiting & 
> logging.

These servers run on FreeBSD so rate limiting is done with
ipfw/dummynet.  It looks like this:

    pipe 1 config mask src-ip 0xffffff00 bw 1Kbit/s queue 3
    add pipe 1 ip from any to 53 in

For logging I am capturing pcap files for each server.  On the BIND
instances I also have query logging enabled.

> currently revamping their mailing list site).  How do you plan on making sure 
> these keys don't expire?

I'm storing the keys in an SQL database.  I have a nightly cron job
that issues DNS queries for the keys.  If a new key is added (or
when a key is deleted), I get an email.  Then I manually track down
the website-published key and validate it and also check PGP
signatures for those that publish them.

At the moment I am placing all keys into the server configuration
as trust anchors, even if they could not be validated out-of-band.
Perhaps at some point when we have more keys published OARC may
decide that only validated keys would be used as trust anchors.

> Is there any reason you chose not to include the keys for the reverse zones 
> published by RIPE (https://www.ripe.net/projects/disi/keys/index.html)?  I'm

I must admit that I was not aware of these when I started.  I'd be
happy to add them.  On the other hand, since the IANA testbed has
DS records for these you could validate in those zones by using
iana-testbed.odvr.dns-oarc.net as your resolver.

> Finally, for those of us only running BIND nameservers, is there any value in 
> including the .br & .cz keys as individual trust anchors since they're 
> already published in the ISC DLV?

It could save you some latency since your nameserver could validate
directly instead of asking for remote validation.


More information about the dns-operations mailing list