[Dnssec-deployment] First signed root zone published
george.barwood at blueyonder.co.uk
Sat Jul 17 01:38:00 EDT 2010
I have a security concern about the .SE domain.
It's easy to trigger responses > 1500 bytes, for example
dig SOA se +dnssec
This means that IP fragmentation will typically occur, and fragments ( other than the first ) can
easily be spoofed, since they contain neither the source port or the DNS ID field.
I would therefore recommend that the UDP response size be limited to ~1400 bytes.
Recent versions of BIND have an option to do this.
Ideally this would be documented in rfc2671bis-edns0 , unfortunately that document
seems to be making slow progress.
----- Original Message -----
From: Anne-Marie Eklund-Löwinder
To: Holger Zuleger ; Paul Wouters
Cc: dnssec-deployment at dnssec-deployment.org
Sent: Friday, July 16, 2010 5:57 AM
Subject: Re: [Dnssec-deployment] First signed root zone published
-----BEGIN PGP SIGNED MESSAGE-----
Hi, .SE will add it's DS records in August, due to lack of resources in place during the vacation period.
Anne-Marie Eklund Löwinder
Quality & Security Manager
.SE (The Internet Infrastructure Foundation),
PO Box 7399, SE-103 91 Stockholm, Sweden
Phone: +46 (0)8-452 35 00/17
Mobile: +46 (0)734 315 310
E-mail: anne-marie.eklund-lowinder at iis.se
.SE (The Internet Infrastructure Foundation) is responsible for the top-level Swedish Internet’s domain, .se. .SE is an independent public utility standing on two legs: domain name operations and development of the Internet.
> -----Ursprungligt meddelande-----
> Från: dnssec-deployment-bounces at dnssec-deployment.org [mailto:dnssec-
> deployment-bounces at dnssec-deployment.org] För Holger Zuleger
> Skickat: den 16 juli 2010 00:57
> Till: Paul Wouters
> Kopia: dnssec-deployment at dnssec-deployment.org
> Ämne: Re: [Dnssec-deployment] First signed root zone published
> >> I am pleased to report that the first fully validatable production
> >> signed root zone, with SOA serial number 2010071501, was published
> > Congrats!
> > Note to people, only 7 of the known trust anchors from itar are in
> the root
> > zone now, so don't remove them all just yet!
> Does anyone know when the other 24 will move there DS records into the
> root zone?
> I'm using the ITAR for a long time and for example .se was my first
> TLD, so I'm a bit astonished that they are not one of the first
> Anyway, thank you very mutch for deploying the first signed root zone!
-----BEGIN PGP SIGNATURE-----
Version: 9.12.0 (Build 1035)
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dnssec-deployment