4:09 p.m.
Nothing's ever easy, is it?
So I got pdns up and going this afternoon with it's geo back end. It's
working as expected and everything is good. The problem is pdns's dnssec
implementation is... not particularly mature or really even usable AFAIK
with geodns.
Anyone out there doing both geo location and dnssec with their name
servers?
-Mike
5:29 p.m.
On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
Nothing's ever easy, is it?
So I got pdns up and going this afternoon with it's geo back end. It's
working as expected and everything is good. The problem is pdns's dnssec
implementation is... not particularly mature or really even usable AFAIK
with geodns.
Anyone out there doing both geo location and dnssec with their name
servers?
Not really. Most places I know do not do dns-sec (either waiting until
.com/.org is signed or until its required) or if they are doing
dns-sec aren't doing geoip. The solutions that comes to mind would be
to have the geoip code in an unsigned sub-zone. Its not great but
until 2011 I don't see it being much better.
-Mike
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
--
Stephen J Smoogen.
Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning
9:13 p.m.
On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath
<mmcgrath(a)redhat.com> wrote:
> Nothing's ever easy, is it?
>
> So I got pdns up and going this afternoon with it's geo back end. It's
> working as expected and everything is good. The problem is pdns's dnssec
> implementation is... not particularly mature or really even usable AFAIK
> with geodns.
>
> Anyone out there doing both geo location and dnssec with their name
> servers?
Not really. Most places I know do not do dns-sec (either waiting until
.com/.org is signed or until its required) or if they are doing
dns-sec aren't doing geoip. The solutions that comes to mind would be
to have the geoip code in an unsigned sub-zone. Its not great but
until 2011 I don't see it being much better.
Ugh, I really don't want to have to choose, nb did great work with getting
dnssec going.
-Mike
9:18 p.m.
On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
> > Nothing's ever easy, is it?
> >
> > So I got pdns up and going this afternoon with it's geo back end. It's
> > working as expected and everything is good. The problem is pdns's dnssec
> > implementation is... not particularly mature or really even usable AFAIK
> > with geodns.
> >
> > Anyone out there doing both geo location and dnssec with their name
> > servers?
>
> Not really. Most places I know do not do dns-sec (either waiting until
> .com/.org is signed or until its required) or if they are doing
> dns-sec aren't doing geoip. The solutions that comes to mind would be
> to have the geoip code in an unsigned sub-zone. Its not great but
> until 2011 I don't see it being much better.
>
Ugh, I really don't want to have to choose, nb did great work with getting
dnssec going.
I would only do it for a subzone and not for the main one. Basically
have ns1/ns2 have the signed zones and the subzones on another one.
--
Stephen J Smoogen.
Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning
9:27 p.m.
On Sat, Nov 21, 2009 at 1:18 PM, Stephen John Smoogen <smooge(a)gmail.com> wrote:
On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath
<mmcgrath(a)redhat.com> wrote:
> On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
>
>> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
>> > Nothing's ever easy, is it?
>> >
>> > So I got pdns up and going this afternoon with it's geo back end.
It's
>> > working as expected and everything is good. The problem is pdns's
dnssec
>> > implementation is... not particularly mature or really even usable AFAIK
>> > with geodns.
>> >
>> > Anyone out there doing both geo location and dnssec with their name
>> > servers?
>>
>> Not really. Most places I know do not do dns-sec (either waiting until
>> .com/.org is signed or until its required) or if they are doing
>> dns-sec aren't doing geoip. The solutions that comes to mind would be
>> to have the geoip code in an unsigned sub-zone. Its not great but
>> until 2011 I don't see it being much better.
>>
>
> Ugh, I really don't want to have to choose, nb did great work with getting
> dnssec going.
I would only do it for a subzone and not for the main one. Basically
have ns1/ns2 have the signed zones and the subzones on another one.
Surely this is
going to increase the time needed for clients to
perform DNS lookups on the content we got GEO-Located (i.e.
fedoraproject.org/admin.fedoraproject.org)
- Nigel
9:36 p.m.
On Fri, Nov 20, 2009 at 8:27 PM, Nigel Jones <dev(a)nigelj.com> wrote:
On Sat, Nov 21, 2009 at 1:18 PM, Stephen John Smoogen
<smooge(a)gmail.com> wrote:
> On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
>> Ugh, I really don't want to have to choose, nb did great
work with getting
>> dnssec going.
>
> I would only do it for a subzone and not for the main one. Basically
> have ns1/ns2 have the signed zones and the subzones on another one.
Surely this is going to increase the time needed for clients to
perform DNS lookups on the content we got GEO-Located (i.e.
fedoraproject.org/admin.fedoraproject.org)
Usually the time is really pretty small.
- Nigel
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
--
Stephen J Smoogen.
Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning
10:09 p.m.
On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath
<mmcgrath(a)redhat.com> wrote:
> On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
>
>> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath(a)redhat.com>
wrote:
>> > Nothing's ever easy, is it?
>> >
>> > So I got pdns up and going this afternoon with it's geo back end.
It's
>> > working as expected and everything is good. The problem is pdns's
dnssec
>> > implementation is... not particularly mature or really even usable AFAIK
>> > with geodns.
>> >
>> > Anyone out there doing both geo location and dnssec with their name
>> > servers?
>>
>> Not really. Most places I know do not do dns-sec (either waiting until
>> .com/.org is signed or until its required) or if they are doing
>> dns-sec aren't doing geoip. The solutions that comes to mind would be
>> to have the geoip code in an unsigned sub-zone. Its not great but
>> until 2011 I don't see it being much better.
>>
>
> Ugh, I really don't want to have to choose, nb did great work with getting
> dnssec going.
I would only do it for a subzone and not for the main one. Basically
have ns1/ns2 have the signed zones and the subzones on another one.
So, for example 'fedoraproject.org' wouldn't be signed, but
'us.fedoraproject.org' would be? I *think* that's possible but I haven't
gotten it to work. If I can get that to work though I guess that makes
sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
will continue to mature.
-Mike
10:22 p.m.
On Fri, 20 Nov 2009, Mike McGrath wrote:
On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
> On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
> > On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
> >
> >> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath(a)redhat.com>
wrote:
> >> > Nothing's ever easy, is it?
> >> >
> >> > So I got pdns up and going this afternoon with it's geo back end.
It's
> >> > working as expected and everything is good. The problem is pdns's
dnssec
> >> > implementation is... not particularly mature or really even usable
AFAIK
> >> > with geodns.
> >> >
> >> > Anyone out there doing both geo location and dnssec with their name
> >> > servers?
> >>
> >> Not really. Most places I know do not do dns-sec (either waiting until
> >> .com/.org is signed or until its required) or if they are doing
> >> dns-sec aren't doing geoip. The solutions that comes to mind would be
> >> to have the geoip code in an unsigned sub-zone. Its not great but
> >> until 2011 I don't see it being much better.
> >>
> >
> > Ugh, I really don't want to have to choose, nb did great work with getting
> > dnssec going.
>
> I would only do it for a subzone and not for the main one. Basically
> have ns1/ns2 have the signed zones and the subzones on another one.
>
So, for example 'fedoraproject.org' wouldn't be signed, but
'us.fedoraproject.org' would be? I *think* that's possible but I
haven't
gotten it to work. If I can get that to work though I guess that makes
sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
will continue to mature.
I should explain this to people not familiar with pdns with the geo
backend (as I was unfamiliar about 12 hours ago :)
right now I've got powerdns to literally pull from our normal bind configs
(with a few modifications). pdns uses this for most of it's data. But
the geo ip lookups would happen prior to the bind lookups and the way it's
setup now would return a cname. So, depending on where you are located
and how we set things up. 'fedoraproject.org' would point to
us.fedoraproject.org or de.fedoraproject.org or maybe even na or
eu.fedoraproject.org.
AFAIK, that cname can't be signed with the way pdns currently works.
*however* I think what the cname points to could be signed. I'm not sure
if this completely bypasses what dnssec would get us or not but I suspect
it's the a record signings that are the most important.
Thoughts?
-Mike
10:27 p.m.
On Fri, Nov 20, 2009 at 9:09 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
> On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
> > On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
> >
> >> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath(a)redhat.com>
wrote:
> >> > Nothing's ever easy, is it?
> >> >
> >> > So I got pdns up and going this afternoon with it's geo back end.
It's
> >> > working as expected and everything is good. The problem is pdns's
dnssec
> >> > implementation is... not particularly mature or really even usable
AFAIK
> >> > with geodns.
> >> >
> >> > Anyone out there doing both geo location and dnssec with their name
> >> > servers?
> >>
> >> Not really. Most places I know do not do dns-sec (either waiting until
> >> .com/.org is signed or until its required) or if they are doing
> >> dns-sec aren't doing geoip. The solutions that comes to mind would be
> >> to have the geoip code in an unsigned sub-zone. Its not great but
> >> until 2011 I don't see it being much better.
> >>
> >
> > Ugh, I really don't want to have to choose, nb did great work with getting
> > dnssec going.
>
> I would only do it for a subzone and not for the main one. Basically
> have ns1/ns2 have the signed zones and the subzones on another one.
>
So, for example 'fedoraproject.org' wouldn't be signed, but
'us.fedoraproject.org' would be? I *think* that's possible but I
haven't
gotten it to work. If I can get that to work though I guess that makes
sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
will continue to mature.
I meant more like fedoraproject.org would be signed
xxx.mirrors.fedoraproject.org wouldn't be. But now I see that doens't
cover the items we have.
--
Stephen J Smoogen.
Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning
10:28 p.m.
On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
So, for example 'fedoraproject.org' wouldn't be signed, but
'us.fedoraproject.org' would be? I *think* that's possible but I
haven't
gotten it to work. If I can get that to work though I guess that makes
sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
will continue to mature.
No, that wouldn't really work, because then you couldn't trust lookups
from the fedoraproject.org zone, which would include delegations to
the subdomains, the main website itself, MX records, etc.
--
Jeff Ollie
10:30 p.m.
On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath
<mmcgrath(a)redhat.com> wrote:
>
> So, for example 'fedoraproject.org' wouldn't be signed, but
> 'us.fedoraproject.org' would be? I *think* that's possible but I
haven't
> gotten it to work. If I can get that to work though I guess that makes
> sense because A) it'd work for now and B) I'm sure over time pdns's
dnssec
> will continue to mature.
No, that wouldn't really work, because then you couldn't trust lookups
from the fedoraproject.org zone, which would include delegations to
the subdomains, the main website itself, MX records, etc.
But if fedoraproject.org pointed to some place that wasn't signed or was
signed incorrectly, wouldn't that fail?
-Mike
10:34 p.m.
On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
> >
> > So, for example 'fedoraproject.org' wouldn't be signed, but
> > 'us.fedoraproject.org' would be? I *think* that's possible but I
haven't
> > gotten it to work. If I can get that to work though I guess that makes
> > sense because A) it'd work for now and B) I'm sure over time pdns's
dnssec
> > will continue to mature.
>
> No, that wouldn't really work, because then you couldn't trust lookups
> from the fedoraproject.org zone, which would include delegations to
> the subdomains, the main website itself, MX records, etc.
>
But if fedoraproject.org pointed to some place that wasn't signed or was
signed incorrectly, wouldn't that fail?
fedoraproject.org can't be a CNAME because it has other records like
MX, NS, SOA, etc. We'd have to switch to using
'www.fedoraproject.org' which could be a CNAME into an unsigned
subzone.
But then you'd still have the problem of relying on an unsigned zone
serving up DNS data, eventually no one is going to trust it.
--
Jeff Ollie
11:05 p.m.
On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath
<mmcgrath(a)redhat.com> wrote:
> On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
>
>> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath(a)redhat.com>
wrote:
>> >
>> > So, for example 'fedoraproject.org' wouldn't be signed, but
>> > 'us.fedoraproject.org' would be? I *think* that's possible but
I haven't
>> > gotten it to work. If I can get that to work though I guess that makes
>> > sense because A) it'd work for now and B) I'm sure over time
pdns's dnssec
>> > will continue to mature.
>>
>> No, that wouldn't really work, because then you couldn't trust lookups
>> from the fedoraproject.org zone, which would include delegations to
>> the subdomains, the main website itself, MX records, etc.
>>
>
> But if fedoraproject.org pointed to some place that wasn't signed or was
> signed incorrectly, wouldn't that fail?
fedoraproject.org can't be a CNAME because it has other records like
MX, NS, SOA, etc. We'd have to switch to using
'www.fedoraproject.org' which could be a CNAME into an unsigned
subzone.
But then you'd still have the problem of relying on an unsigned zone
serving up DNS data, eventually no one is going to trust it.
At this very moment, what is dnssec buying us?
-Mike
11:24 p.m.
At the moment? Nothing.
On 21/11/2009, Mike McGrath <mmcgrath(a)redhat.com> wrote:
On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
> On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath <mmcgrath(a)redhat.com>
> wrote:
> > On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
> >
> >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath(a)redhat.com>
> >> wrote:
> >> >
> >> > So, for example 'fedoraproject.org' wouldn't be signed,
but
> >> > 'us.fedoraproject.org' would be? I *think* that's possible
but I
> >> > haven't
> >> > gotten it to work. If I can get that to work though I guess that
> >> > makes
> >> > sense because A) it'd work for now and B) I'm sure over time
pdns's
> >> > dnssec
> >> > will continue to mature.
> >>
> >> No, that wouldn't really work, because then you couldn't trust
lookups
> >> from the fedoraproject.org zone, which would include delegations to
> >> the subdomains, the main website itself, MX records, etc.
> >>
> >
> > But if fedoraproject.org pointed to some place that wasn't signed or was
> > signed incorrectly, wouldn't that fail?
>
> fedoraproject.org can't be a CNAME because it has other records like
> MX, NS, SOA, etc. We'd have to switch to using
> 'www.fedoraproject.org' which could be a CNAME into an unsigned
> subzone.
>
> But then you'd still have the problem of relying on an unsigned zone
> serving up DNS data, eventually no one is going to trust it.
>
At this very moment, what is dnssec buying us?
-Mike
--
Sent from my mobile device
-- Nigel Jones
11:27 p.m.
Actually it does buy us some trust but as the roots aren't signed it's
fairly moot.
On 21/11/2009, Nigel Jones <dev(a)nigelj.com> wrote:
At the moment? Nothing.
On 21/11/2009, Mike McGrath <mmcgrath(a)redhat.com> wrote:
> On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
>
>> On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath <mmcgrath(a)redhat.com>
>> wrote:
>> > On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
>> >
>> >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath
<mmcgrath(a)redhat.com>
>> >> wrote:
>> >> >
>> >> > So, for example 'fedoraproject.org' wouldn't be signed,
but
>> >> > 'us.fedoraproject.org' would be? I *think* that's
possible but I
>> >> > haven't
>> >> > gotten it to work. If I can get that to work though I guess that
>> >> > makes
>> >> > sense because A) it'd work for now and B) I'm sure over
time pdns's
>> >> > dnssec
>> >> > will continue to mature.
>> >>
>> >> No, that wouldn't really work, because then you couldn't trust
>> >> lookups
>> >> from the fedoraproject.org zone, which would include delegations to
>> >> the subdomains, the main website itself, MX records, etc.
>> >>
>> >
>> > But if fedoraproject.org pointed to some place that wasn't signed or
>> > was
>> > signed incorrectly, wouldn't that fail?
>>
>> fedoraproject.org can't be a CNAME because it has other records like
>> MX, NS, SOA, etc. We'd have to switch to using
>> 'www.fedoraproject.org' which could be a CNAME into an unsigned
>> subzone.
>>
>> But then you'd still have the problem of relying on an unsigned zone
>> serving up DNS data, eventually no one is going to trust it.
>>
>
> At this very moment, what is dnssec buying us?
>
> -Mike
--
Sent from my mobile device
-- Nigel Jones
--
Sent from my mobile device
-- Nigel Jones
9:49 p.m.
On Fri, Nov 20, 2009 at 4:09 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
Nothing's ever easy, is it?
So I got pdns up and going this afternoon with it's geo back end. It's
working as expected and everything is good. The problem is pdns's dnssec
implementation is... not particularly mature or really even usable AFAIK
with geodns.
Anyone out there doing both geo location and dnssec with their name
servers?
Hmm... not sure if this rates as a 'clever' or 'ugly' hack:
http://phix.me/geodns/
--
Jeff Ollie
5263
days inactive
5264
days old
infrastructure@lists.fedoraproject.org
15 comments
4 participants
participants (4)
-
Jeffrey Ollie -
Mike McGrath -
Nigel Jones -
Stephen John Smoogen