[Dnssec-deployment] First signed root zone published

George Barwood george.barwood at blueyonder.co.uk
Sat Jul 17 01:38:00 EDT 2010 

I have a security concern about the .SE domain.

It's easy to trigger responses > 1500 bytes, for example 

dig SOA se +dnssec

This means that IP fragmentation will typically occur, and fragments ( other than the first ) can
easily be spoofed, since they contain neither the source port or the DNS ID field.

I would therefore recommend that the UDP response size be limited to ~1400 bytes.

Recent versions of BIND have an option to do this.

Ideally this would be documented in rfc2671bis-edns0 , unfortunately that document
seems to be making slow progress.

Regards,
George

----- Original Message ----- 
  From: Anne-Marie Eklund-Löwinder 
  To: Holger Zuleger ; Paul Wouters 
  Cc: dnssec-deployment at dnssec-deployment.org 
  Sent: Friday, July 16, 2010 5:57 AM
  Subject: Re: [Dnssec-deployment] First signed root zone published


  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1

  Hi, .SE will add it's DS records in August, due to lack of resources in place during the vacation period.

  Kind regards,



  Anne-Marie Eklund Löwinder
  Quality & Security Manager
  .SE (The Internet Infrastructure Foundation),
  PO Box 7399, SE-103 91 Stockholm, Sweden
  Phone: +46 (0)8-452 35 00/17
  Mobile: +46 (0)734 315 310
  E-mail: anne-marie.eklund-lowinder at iis.se
  Web: http://www.iis.se

  .SE (The Internet Infrastructure Foundation) is responsible for the top-level Swedish Internet’s domain, .se. .SE is an independent public utility standing on two legs: domain name operations and development of the Internet.



  > -----Ursprungligt meddelande-----
  > Från: dnssec-deployment-bounces at dnssec-deployment.org [mailto:dnssec-
  > deployment-bounces at dnssec-deployment.org] För Holger Zuleger
  > Skickat: den 16 juli 2010 00:57
  > Till: Paul Wouters
  > Kopia: dnssec-deployment at dnssec-deployment.org
  > Ämne: Re: [Dnssec-deployment] First signed root zone published
  > 
  > >> I am pleased to report that the first fully validatable production
  > >> signed root zone, with SOA serial number 2010071501, was published
  > >
  > > Congrats!
  > >
  > > Note to people, only 7 of the known trust anchors from itar are in
  > the root
  > > zone now, so don't remove them all just yet!
  > Does anyone know when the other 24 will move there DS records into the
  > root zone?
  > I'm using the ITAR for a long time and for example .se was my first
  > test
  > TLD, so I'm a bit astonished that they are not one of the first
  > adopters...
  > 
  > Anyway, thank you very mutch for deploying the first signed root zone!
  > 
  > Regards
  >  Holger

  -----BEGIN PGP SIGNATURE-----
  Version: 9.12.0 (Build 1035)
  Charset: utf-8

  wj8DBQFMP+bDpdzwAUKxz5QRAnwVAJsFkbjmg1Ml5OwsUi+qaAWWZFNRgACdFUlk
  3kspGPsQ7zmwDKAGRhcInWI=
  =gER8
  -----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20100717/be899542/attachment.html

More information about the Dnssec-deployment mailing list