[dns-operations] OARC's Open DNSSEC Validating Resolver project
wessels at dns-oarc.net
Thu Nov 6 19:27:22 UTC 2008
On Wed, 5 Nov 2008, David Coulthart wrote:
> First of all I would like to say thank you to Duane & OARC for offering this
> service. I continuously find OARC & this mailing list a valuable resource
> for experimenting & learning how to run DNS better.
> I am curious to know more about how you are implementing the rate limiting &
These servers run on FreeBSD so rate limiting is done with
ipfw/dummynet. It looks like this:
pipe 1 config mask src-ip 0xffffff00 bw 1Kbit/s queue 3
add pipe 1 ip from any to 188.8.131.52/29 53 in
For logging I am capturing pcap files for each server. On the BIND
instances I also have query logging enabled.
> currently revamping their mailing list site). How do you plan on making sure
> these keys don't expire?
I'm storing the keys in an SQL database. I have a nightly cron job
that issues DNS queries for the keys. If a new key is added (or
when a key is deleted), I get an email. Then I manually track down
the website-published key and validate it and also check PGP
signatures for those that publish them.
At the moment I am placing all keys into the server configuration
as trust anchors, even if they could not be validated out-of-band.
Perhaps at some point when we have more keys published OARC may
decide that only validated keys would be used as trust anchors.
> Is there any reason you chose not to include the keys for the reverse zones
> published by RIPE (https://www.ripe.net/projects/disi/keys/index.html)? I'm
I must admit that I was not aware of these when I started. I'd be
happy to add them. On the other hand, since the IANA testbed has
DS records for these you could validate in those zones by using
iana-testbed.odvr.dns-oarc.net as your resolver.
> Finally, for those of us only running BIND nameservers, is there any value in
> including the .br & .cz keys as individual trust anchors since they're
> already published in the ISC DLV?
It could save you some latency since your nameserver could validate
directly instead of asking for remote validation.
More information about the dns-operations