[dns-operations] Statement: Issues using BIND 9.4 & 9.5 with DLV and certain DNSSEC-signed zones

Eric Osterweil eoster at cs.ucla.edu
Fri Apr 24 19:17:42 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Apr 24, 2009, at 12:10 PM, Chris Thompson wrote:

> On Apr 22 2009, Florian Weimer wrote:
>
>> * Michael Graff:
> [...]
>>> How many more weeks do you think we should delay re-adding .gov to
>>> dlv.isc.org?  And what, specifically, do you suggest be the all- 
>>> clear
>>> trigger?
>>
>> A working signed delegation for nist.gov (or any other child zone).
>
> We can tell that there *are* signed delegations from gov, even if we
> don't know what they are. "Working" is, I suppose, more difficult to
> judge.
>
> I collected a sample of 1271 NSEC3 records from the gov zone by random
> probing. (I guesstimate that I have very roughly half of them.) Of  
> these
> 10 indicated the existence of a DS record, e.g.
> 5066E5JAKAO44M42VQK68BTJBEVGFFK9.gov. 10800 IN NSEC3 (
> 1 0 10 ABAB 50JLCITE3VVN0BUAUC0G5RJVO62P7DVU NS DS RRSIG )

We track 35 DNSSEC gov zones at SecSpider.  We also track the gov  
island as consisting of 9 "production" zones:
	http://secspider.cs.ucla.edu/islands.html

People are welcome to look up the gov zones on our web site.

Eric
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iEYEARECAAYFAknyEFoACgkQK/tq6CJjZQL3ZgCfaaqB8Ti0x1hh2yrKOrbMlpKS
gb4AnjqIloQoD7oDMQj79PI2h1/pOT79
=3SiM
-----END PGP SIGNATURE-----



More information about the dns-operations mailing list