[Dnssec-deployment] First signed root zone published

Eric Osterweil eoster at cs.ucla.edu
Sat Jul 17 02:13:57 EDT 2010



But has anyone seen a PMTU issue with .se?  I know SecSpider has not.  

I think there is an inherent danger in being overly aggressive in tightening configurations by artificially lowering the configuration in BIND.

Eric

On Jul 16, 2010, at 10:38 PM, George Barwood wrote:

> I have a security concern about the .SE domain.
>  
> It's easy to trigger responses > 1500 bytes, for example
>  
> dig SOA se +dnssec
>  
> This means that IP fragmentation will typically occur, and fragments ( other than the first ) can
> easily be spoofed, since they contain neither the source port or the DNS ID field.
>  
> I would therefore recommend that the UDP response size be limited to ~1400 bytes.
>  
> Recent versions of BIND have an option to do this.
>  
> Ideally this would be documented in rfc2671bis-edns0 , unfortunately that document
> seems to be making slow progress.
>  
> Regards,
> George
>  
> ----- Original Message -----
> From: Anne-Marie Eklund-Löwinder
> To: Holger Zuleger ; Paul Wouters
> Cc: dnssec-deployment at dnssec-deployment.org
> Sent: Friday, July 16, 2010 5:57 AM
> Subject: Re: [Dnssec-deployment] First signed root zone published
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> Hi, .SE will add it's DS records in August, due to lack of resources in place during the vacation period.
>  
> Kind regards,
>  
>  
>  
> Anne-Marie Eklund Löwinder
> Quality & Security Manager
> .SE (The Internet Infrastructure Foundation),
> PO Box 7399, SE-103 91 Stockholm, Sweden
> Phone: +46 (0)8-452 35 00/17
> Mobile: +46 (0)734 315 310
> E-mail: anne-marie.eklund-lowinder at iis.se
> Web: http://www.iis.se
>  
> .SE (The Internet Infrastructure Foundation) is responsible for the top-level Swedish Internet’s domain, .se. .SE is an independent public utility standing on two legs: domain name operations and development of the Internet.
>  
>  
>  
> > -----Ursprungligt meddelande-----
> > Från: dnssec-deployment-bounces at dnssec-deployment.org [mailto:dnssec-
> > deployment-bounces at dnssec-deployment.org] För Holger Zuleger
> > Skickat: den 16 juli 2010 00:57
> > Till: Paul Wouters
> > Kopia: dnssec-deployment at dnssec-deployment.org
> > Ämne: Re: [Dnssec-deployment] First signed root zone published
> >
> > >> I am pleased to report that the first fully validatable production
> > >> signed root zone, with SOA serial number 2010071501, was published
> > >
> > > Congrats!
> > >
> > > Note to people, only 7 of the known trust anchors from itar are in
> > the root
> > > zone now, so don't remove them all just yet!
> > Does anyone know when the other 24 will move there DS records into the
> > root zone?
> > I'm using the ITAR for a long time and for example .se was my first
> > test
> > TLD, so I'm a bit astonished that they are not one of the first
> > adopters...
> >
> > Anyway, thank you very mutch for deploying the first signed root zone!
> >
> > Regards
> >  Holger
>  
> -----BEGIN PGP SIGNATURE-----
> Version: 9.12.0 (Build 1035)
> Charset: utf-8
>  
> wj8DBQFMP+bDpdzwAUKxz5QRAnwVAJsFkbjmg1Ml5OwsUi+qaAWWZFNRgACdFUlk
> 3kspGPsQ7zmwDKAGRhcInWI=
> =gER8
> -----END PGP SIGNATURE-----
>  
>  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20100716/fe8356b8/attachment.bin 


More information about the Dnssec-deployment mailing list