[dns-operations] Unplanned DLV zone outage on 2009-Apr-06
eoster at cs.ucla.edu
Tue Apr 14 22:03:19 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
On Apr 14, 2009, at 3:27 PM, Lutz Donnerhacke wrote:
> On Tue, Apr 14, 2009 at 03:59:57PM -0400, Hugo Salgado wrote:
>> Lutz Donnerhacke wrote:
>>> There are other DLVs out there, i.e. dlv.vulcano.cl.
>> hey! that's my sandbox zone. it's just a test, preparing myself
>> to bypass the unforeseeable .cl signed zone ;)
> Hi, welcome to the club of DLV operators.
>> by the way, here's another production dlv repo:
> I mentioned SecSpider as a DLV, but not a TAR. They do not claim and
> do not
> want their DLV view of their database to be used as a trust source.
I think SecSpider is quite useful to resolvers. Both its DLV repo and
especially its trust-anchors file ( http://secspider.cs.ucla.edu/trust-anchors.conf
I'm not sure why you're making such a big distinction of "TAR" or
not. This seems a rather artificial distinction to me... What I
think a resolver should want to know is if the DNSKEYs it sees for a
zone are those actually being served by that zone?
Thus, I think SecSpider is quite useful for this. Our assertion is
simply that the keys we serve are those that have been observed from
our distributed polling infrastructure. We poll our corpus from
multiple points on several continents and only publish keys that are
consistent across all pollers using the name servers from both the
parent zone's view of the NS RRset and those name servers' views of
the NS RRset. We claim that this is the "public" view of keys and
that an adversary would have a phenomenally difficult time spoofing
all of our pollers, from all of a zone's name servers, at the precise/
random time that we poll (we do not use caches). Thus, our security
model revolves around making decisions based on global key consistency.
However, I believe that downloading our trust-anchors file ( http://secspider.cs.ucla.edu/trust-anchors.conf
) is a much more operationally viable choice as it lets all
verification happen locally rather than through a look-aside to a 3rd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
-----END PGP SIGNATURE-----
More information about the dns-operations