Cyconet Blog » ripe

Is DNSSEC ready for wild life?

cyco — Fri, 20 Apr 2007 19:57:11 +0000

Today the RIPE DNS for LIRs Training Course did take place. (some not up to date course material can be found here)
Managing some thousands of zones inclusive nameserver infrastructure behind since several years, I thought it would be neat to provide a secure dns chain to our costumers.
After going deeper into the material within the course, I recognized the following impacts:

only bind9 (>= 9.3) and NSD privides support (yet)
bandwidth will be increased 2-3 times with max. key size
increased memory usage depending on your server software
operational costs will increasing dramaticaly due significant higher amount of regular work
more computing power (hardware) needed to generate dnssec ready zones and signing
unknown influence on resolving nameservers (load/memory/bandwidth)
chain of trust ends at resolving nameserver and is not provided to enduser

Since the last issue isn’t solved (yet), it doesn’t make any sence for me to invest resources into setting up DNSSec infrastructur, cause the end user would not recognize if the communication with the resolving nameserver or the resolving nameserver itself is taken over.

Any complaints and/or hint? Did I missed something?

Routing Registry Training Course and irrtoolset

cyco — Tue, 29 Nov 2005 22:34:32 +0000

Last week I passed the course, what famouse news. ;-)

It is nice to know, what is needed to write ASN-, route-, aut-num objects and so on .. to autogenerate filterconfigs in theory. In the course, I got rtconfig segfaulting on the testground server. Yes .. thats good point to start. :(

This week I did modify our database objects and play around with rtconfig … as result … rtconfig didnt work as aspected. Many of the filterlists arent build, cause I got many “Warning: filter matches ANY/NOT ANY”. Maybe this an effect of our aut-num object, which reflects the outbound policy depending on downstream ASN with different prependings. But I’m unable to find any hints whats the real problem.
Maybe its rtconfig itself, cause I got it only running on debian/sarge with a backported package which I found there. The pkgsrc-package on NetBSD core dumped. Some investigation did unearth, that the irrtoolset depends on many old libs … how bad!

The question which comes to my mind … is anybody out there using irrtoolset in production??

ipv6-first-alloc request

cyco — Fri, 18 Nov 2005 21:14:02 +0000

We decided, after we will reach the next billing categorie 2007 anyways (you remember, we got /18 allocated), that it will be neat to request a /32.
I created a sweet address plan and got the allocation in less than 5 hours approved. :-)

pa-ipv4 request

cyco — Fri, 04 Nov 2005 20:42:32 +0000

In the last days, I did clean up our RIPE database objects and our files. The reson is … I did request new pa-ipv4 on wednesday. :-)
I did fix up the 2 files, which was requested by RIPE hostmaster and I got it passed. Also my IP plans was accepted, I did request /20 and /22 for broadband.

The great news … we got /18 allocated. STRIKE! :-)

LIR Training Course

cyco — Fri, 07 Oct 2005 20:04:30 +0000

Yesterday I finished the RIPE LIR Cource second time.

They told us, that database objects are filtered since some weeks and with the -B you can get it unfiltered. This fact I was searching 2 weeks ago for some hours. I didnt recognise the announcement on db-wg mailinglist.
My opinion is, that this is a useless feature. It does confuse the NOC people and spammer do know to bypass this anyways.

Also you cant use webupdate if your maintainer only has a pgp-key. Thats realy bad … so you need X509, if you have to use webupdate and wonna use secure authentification.
To remove pgp-objects, you have to contact hostmaster@ripe.net.
Other news … its allowed to make subassignments on IPv4 and new thing … lir-partitioned.

The benefit of the course … I’m fit into other great stuff, which may come up in the future … :-)