Post ASmSuwns07RncZDlIW by bortzmeyer@mastodon.gougere.fr
(DIR) More posts by bortzmeyer@mastodon.gougere.fr
(DIR) Post #ASm1ZzmH3AJY0BG8Zs by bortzmeyer@mastodon.gougere.fr
2023-02-17T14:45:07Z
0 likes, 0 repeats
Soon, we resume #OARC40 https://indico.dns-oarc.net/event/46/#LoveDNS #DNS #DNSSEC
(DIR) Post #ASm3q8hPqaHQDIoRqC by bortzmeyer@mastodon.gougere.fr
2023-02-17T15:10:19Z
1 likes, 2 repeats
"Guaranteeing the integrity of DNS records using PKIX Certificates" by Hyeonmin LeeStill less than 1 % SLD signed.Solution : use PKIK certificates because everyone has one.#OARC40 #LoveDNS
(DIR) Post #ASm4Pah3l00ZAhYCRc by bortzmeyer@mastodon.gougere.fr
2023-02-17T15:16:04Z
0 likes, 0 repeats
I guess all the questions will be rebuttals of the idea...
(DIR) Post #ASm4Ww7iTmgTf8WPfE by pmevzek@framapiaf.org
2023-02-17T15:16:46Z
0 likes, 0 repeats
@bortzmeyer Grilling has started...
(DIR) Post #ASm4l4RsK7JTXKgshk by bortzmeyer@mastodon.gougere.fr
2023-02-17T15:20:45Z
0 likes, 0 repeats
It is implemented in a test bed. (Not in the public DNS?)Otherwise, as expected, everybody thinks it is a very bad idea. For instance, most CA authenticate with the DNS so we would have circular security.
(DIR) Post #ASm5IeisTg09ayerGC by bortzmeyer@mastodon.gougere.fr
2023-02-17T15:26:39Z
0 likes, 0 repeats
" Aggressive cache (RFC8198) effectiveness, the NSEC3 case" by Otto MoerbeekThe general idea of aggressive caching is to generate NXDOMAIN in the resolvers by using cached NSEC or NSEC3 records.But in practice? .nl moved from opt-out (which does not allow synthesis) to no opt-out. What happened?#DNSSEC #LoveDNS
(DIR) Post #ASm5l1v5pDwJeEtx0i by jpmens@mastodon.social
2023-02-17T15:30:08Z
0 likes, 0 repeats
@bortzmeyer such a bad idea that the slides have been pulled? ;)
(DIR) Post #ASm5u1YMYdJN7KYg3E by bortzmeyer@mastodon.gougere.fr
2023-02-17T15:30:59Z
0 likes, 0 repeats
Aggressive caching did not work: the number of NXDOMAIN-eliciting queries did not decrease.#DNSSEC
(DIR) Post #ASm5yG9IEWWnXjqrzM by bortzmeyer@mastodon.gougere.fr
2023-02-17T15:31:10Z
0 likes, 0 repeats
@jpmens Works for me https://indico.dns-oarc.net/event/46/contributions/990/attachments/932/1763/OARC40%20-%20DNS%20security.pdf
(DIR) Post #ASm6bSabugF7Q9Jzw8 by jpmens@mastodon.social
2023-02-17T15:41:30Z
0 likes, 0 repeats
@bortzmeyer works after refreshing the schedule page.
(DIR) Post #ASm6oDesjoeqsSP4ue by shaft@piaille.fr
2023-02-17T15:43:44Z
0 likes, 0 repeats
@bortzmeyer Too few resolvers using it?
(DIR) Post #ASm6vHsrQU5k0eJQVk by bortzmeyer@mastodon.gougere.fr
2023-02-17T15:44:12Z
0 likes, 0 repeats
After a long mathematical analysis: NSEC3 aggressive caching does not work well for large zones (like .nl). They cover too few names (NSEC is better because names, unlike hashes, are not random).#LoveDNS
(DIR) Post #ASm6yzRruVA7zXS7N2 by bortzmeyer@mastodon.gougere.fr
2023-02-17T15:44:51Z
0 likes, 0 repeats
@shaft This is Netherlands. Everybody uses PowerDNS Recursor (which does NSEC3 aggressive caching).
(DIR) Post #ASm7R5geJG3FRplWG8 by bortzmeyer@mastodon.gougere.fr
2023-02-17T15:50:32Z
0 likes, 0 repeats
"Expectation vs Reality - The Impact of DNSSEC Validation on Recursive Resolver Operations" by Moritz MüllerWhy not alll resolvers validate? Let's ask the operators.#LoveDNS
(DIR) Post #ASm7Yh7tVchlaj8QcK by shaft@piaille.fr
2023-02-17T15:51:17Z
0 likes, 0 repeats
@bortzmeyer They can use Unbound (which does aggressive caching too - and it is activated by default) :)
(DIR) Post #ASm7fPggkDiVX6c5bc by jpmens@mastodon.social
2023-02-17T15:50:32Z
0 likes, 0 repeats
@bortzmeyer @shaft it's a law. #powerdns
(DIR) Post #ASm7lXYgOT6PgJn3su by bortzmeyer@mastodon.gougere.fr
2023-02-17T15:52:53Z
0 likes, 0 repeats
@shaft NSEC only, not NSEC 3.
(DIR) Post #ASm7pb9YyCk7zNyYiW by bortzmeyer@mastodon.gougere.fr
2023-02-17T15:53:44Z
0 likes, 0 repeats
People who validate have a better opinion of #DNSSEC
(DIR) Post #ASm8SL50fGKLQqJq6K by bortzmeyer@mastodon.gougere.fr
2023-02-17T16:02:10Z
0 likes, 0 repeats
Funny "DNSSEC misconfigurations increase the workload" question: people who do not validate say it will increase operations cost, people who validate think it increases the load at help desk.#DNSSEC
(DIR) Post #ASmBu2oqS0Jalgf1Sy by bortzmeyer@mastodon.gougere.fr
2023-02-17T16:40:44Z
0 likes, 0 repeats
The main use of #DNSSEC: creating topics for OARC meetings.#troll #OARC40 #LoveDNS
(DIR) Post #ASmD5bb3aYLtliHuhU by bortzmeyer@mastodon.gougere.fr
2023-02-17T16:54:04Z
0 likes, 0 repeats
"Measuring TTL Violation of DNS Resolvers at scale" by Tijay ChungMeasuring is not obvious (there is more than one resolver between the Web browser and the authoritative server.)Almost 10 % of the resolvers increase the very short TTLs (one minute).#OARC40 #LoveDNS
(DIR) Post #ASmDX5gdp3J2uU0Qym by bortzmeyer@mastodon.gougere.fr
2023-02-17T16:58:04Z
0 likes, 0 repeats
Unreasonably short TTLs are common for CDN. Azure and Akamai will have problems, with TTLs of 10 or 20 seconds.
(DIR) Post #ASmEBs47N4B8XMQsXw by bortzmeyer@mastodon.gougere.fr
2023-02-17T17:06:27Z
0 likes, 0 repeats
"Public Annotations of DNS RFCs" by Paul HoffmanThere are many of #DNS #RFC and no consolidation.Solution: annotations (like in the original World-Wide Web project) of RFC with details, design rationale, implementation, etc.#LoveDNS
(DIR) Post #ASmHb8L0J8Hw6h4JKC by bortzmeyer@mastodon.gougere.fr
2023-02-17T17:44:40Z
0 likes, 0 repeats
It created a huge discussion, both on Zoom and on Mattermost. People love RFC and care about them, so it is always passionate. There are even people who criticize the fact that some people comment on RFC.#LoveDNS #OARC40
(DIR) Post #ASmIqb3LvX1lSokX8S by winfried@fosstodon.org
2023-02-17T17:58:48Z
0 likes, 0 repeats
@bortzmeyer Very small TTLs (below 60s) should be banned. They are useless and make caching inefficient and are waste of energy
(DIR) Post #ASmQZRQDHXP6IrlzUm by jaredmauch@mastodon.nether.net
2023-02-17T19:25:20Z
0 likes, 0 repeats
@bortzmeyer I will accept notations in the shape of an ascii art camel 🐫
(DIR) Post #ASmQlfJhRkaGsAYUa0 by bortzmeyer@mastodon.gougere.fr
2023-02-17T19:26:16Z
0 likes, 0 repeats
"Realtime DNS Exfiltration Detection in Recursive Resolvers" by David RodriguezThere are many free software to create a #DNS tunnel (for instance iodine). (Nice Perl code to illustrate.)#OARC40 #LoveDNS
(DIR) Post #ASmSFbCLQLXajyx6TQ by bortzmeyer@mastodon.gougere.fr
2023-02-17T19:43:58Z
0 likes, 0 repeats
The goal of the work is to find automatically, via various statistics, if there is #DNS tunneling going on.(In order to block it; nice ethical discussion in the room.)
(DIR) Post #ASmSuwns07RncZDlIW by bortzmeyer@mastodon.gougere.fr
2023-02-17T19:51:28Z
0 likes, 0 repeats
"Detecting latency spikes in DNS server implementation(s)" by Petr ŠpačekA mysterious problem after upgrading #BIND, which fixed itself.(I love the naming scheme for performance testing programs: flamethrower and shotgun.)#LoveDNS
(DIR) Post #ASml2lRhuTZbt7jPqS by pmevzek@framapiaf.org
2023-02-17T23:14:46Z
0 likes, 0 repeats
@bortzmeyer Ethical discussion that begins with the word that start with "a" and ends with "hole" :-)