[dns-operations] OARC's Open DNSSEC Validating Resolver project
Mark Andrews
Mark_Andrews at isc.org
Thu Nov 6 22:22:45 UTC 2008
In message <alpine.BSF.2.00.0811061902510.77333 at in1.dns-oarc.net>, Duane Wessel
s writes:
>
>
> On Wed, 5 Nov 2008, David Coulthart wrote:
>
> > First of all I would like to say thank you to Duane & OARC for offering thi
> s
> > service. I continuously find OARC & this mailing list a valuable resource
> > for experimenting & learning how to run DNS better.
>
> Thanks!
>
> > I am curious to know more about how you are implementing the rate limiting
> &
> > logging.
>
> These servers run on FreeBSD so rate limiting is done with
> ipfw/dummynet. It looks like this:
>
> pipe 1 config mask src-ip 0xffffff00 bw 1Kbit/s queue 3
> add pipe 1 ip from any to 149.20.64.16/29 53 in
>
> For logging I am capturing pcap files for each server. On the BIND
> instances I also have query logging enabled.
>
>
> > currently revamping their mailing list site). How do you plan on making su
> re
> > these keys don't expire?
>
> I'm storing the keys in an SQL database. I have a nightly cron job
> that issues DNS queries for the keys. If a new key is added (or
> when a key is deleted), I get an email. Then I manually track down
> the website-published key and validate it and also check PGP
> signatures for those that publish them.
>
> At the moment I am placing all keys into the server configuration
> as trust anchors, even if they could not be validated out-of-band.
> Perhaps at some point when we have more keys published OARC may
> decide that only validated keys would be used as trust anchors.
>
> > Is there any reason you chose not to include the keys for the reverse zones
>
> > published by RIPE (https://www.ripe.net/projects/disi/keys/index.html)? I'
> m
>
> I must admit that I was not aware of these when I started. I'd be
> happy to add them. On the other hand, since the IANA testbed has
> DS records for these you could validate in those zones by using
> iana-testbed.odvr.dns-oarc.net as your resolver.
>
> > Finally, for those of us only running BIND nameservers, is there any value
> in
> > including the .br & .cz keys as individual trust anchors since they're
> > already published in the ISC DLV?
>
> It could save you some latency since your nameserver could validate
> directly instead of asking for remote validation.
But it also increases the operational costs required to track
the trust anchors .br and .cz.
> DW
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list