[dns-operations] OARC's Open DNSSEC Validating Resolver project

Mark Andrews Mark_Andrews at isc.org
Thu Nov 6 22:22:45 UTC 2008 

In message <alpine.BSF.2.00.0811061902510.77333 at in1.dns-oarc.net>, Duane Wessel
s writes:
> 
> 
> On Wed, 5 Nov 2008, David Coulthart wrote:
> 
> > First of all I would like to say thank you to Duane & OARC for offering thi
> s 
> > service.  I continuously find OARC & this mailing list a valuable resource 
> > for experimenting & learning how to run DNS better.
> 
> Thanks!
> 
> > I am curious to know more about how you are implementing the rate limiting 
> & 
> > logging.
> 
> These servers run on FreeBSD so rate limiting is done with
> ipfw/dummynet.  It looks like this:
> 
>     pipe 1 config mask src-ip 0xffffff00 bw 1Kbit/s queue 3
>     add pipe 1 ip from any to 149.20.64.16/29 53 in
> 
> For logging I am capturing pcap files for each server.  On the BIND
> instances I also have query logging enabled.
> 
> 
> > currently revamping their mailing list site).  How do you plan on making su
> re 
> > these keys don't expire?
> 
> I'm storing the keys in an SQL database.  I have a nightly cron job
> that issues DNS queries for the keys.  If a new key is added (or
> when a key is deleted), I get an email.  Then I manually track down
> the website-published key and validate it and also check PGP
> signatures for those that publish them.
> 
> At the moment I am placing all keys into the server configuration
> as trust anchors, even if they could not be validated out-of-band.
> Perhaps at some point when we have more keys published OARC may
> decide that only validated keys would be used as trust anchors.
> 
> > Is there any reason you chose not to include the keys for the reverse zones
>  
> > published by RIPE (https://www.ripe.net/projects/disi/keys/index.html)?  I'
> m
> 
> I must admit that I was not aware of these when I started.  I'd be
> happy to add them.  On the other hand, since the IANA testbed has
> DS records for these you could validate in those zones by using
> iana-testbed.odvr.dns-oarc.net as your resolver.
> 
> > Finally, for those of us only running BIND nameservers, is there any value 
> in 
> > including the .br & .cz keys as individual trust anchors since they're 
> > already published in the ISC DLV?
> 
> It could save you some latency since your nameserver could validate
> directly instead of asking for remote validation.

	But it also increases the operational costs required to track
	the trust anchors .br and .cz.

> DW
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list