[Yeti DNS Discuss] 答复: 答复: Five additional servers added to Yeti testbed & an bug finding on priming response

Davey Song(宋林健) ljsong at biigroup.cn
Fri May 6 06:44:15 UTC 2016


Knot IXFR behavior actually allows a advanced MZSK which requires resolver
to validate each RRSIGs from multiple signer. The data integrity is gained
from three signers other than one, which means the attacker need to
compromised three signer (get the secrete) other than one. The risk of
advanced MZSK is P^3, given P is the risk probability that one DM to be
compromised. Not bad!

Davey

-----邮件原件-----
发件人: Davey Song(宋林健) [mailto:ljsong at biigroup.cn] 
发送时间: 2016年5月6日 14:06
收件人: 'Davey Song(宋林健)'; 'Stephane Bortzmeyer'
抄送: discuss at lists.yeti-dns.org
主题: 答复: [Yeti DNS Discuss] 答复: Five additional servers added to Yeti
testbed & an bug finding on priming response

yeti-ns.conit.co. returns SERVFAIL. I guess the disk is full. It happens for
some server that their captured traffic is not Purged regularly.

Davey

-----邮件原件-----
发件人: discuss [mailto:discuss-bounces at lists.yeti-dns.org] 代表 Davey
Song(宋林健)
发送时间: 2016年5月4日 17:30
收件人: 'Stephane Bortzmeyer'
抄送: discuss at lists.yeti-dns.org
主题: [Yeti DNS Discuss] 答复: Five additional servers added to Yeti testbed
& an bug finding on priming response

You are so swift to resolve it!  how about yeti-ns.conit.co. what's wrong
with it ?

Davey

-----邮件原件-----
发件人: Stephane Bortzmeyer [mailto:bortzmeyer at nic.fr]
发送时间: 2016年5月4日 16:59
收件人: Davey Song
抄送: discuss at lists.yeti-dns.org
主题: Re: [Yeti DNS Discuss] Five additional servers added to Yeti testbed &
an bug finding on priming response

On Wed, May 04, 2016 at 10:26:07AM +0200,  Stephane Bortzmeyer
<bortzmeyer at nic.fr> wrote  a message of 24 lines which said:

> I don't find an option to make NSD send larger replies. I've asked the 
> NSD mailing list.

Done. It seems there is no configuration option for this behavior, you have
to recompile NSD with --disable-minimum-responses. dahu1 now sends
everything (it requires working IPv6 fragmentation...):

% dig @dahu1.yeti.eu.org NS .

; <<>> DiG 9.9.5-12.1-Debian <<>> @dahu1.yeti.eu.org NS .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59845 ;; flags: qr aa
rd; QUERY: 1, ANSWER: 24, AUTHORITY: 0, ADDITIONAL: 24 ;; WARNING: recursion
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION:
;.			IN NS

;; ANSWER SECTION:
.			86400 IN NS bii.dns-lab.net.
.			86400 IN NS yeti.bofh.priv.at.
.			86400 IN NS yeti.ipv6.ernet.in.
.			86400 IN NS yeti.aquaray.com.
.			86400 IN NS dahu1.yeti.eu.org.
.			86400 IN NS dahu2.yeti.eu.org.
.			86400 IN NS ns-yeti.bondis.org.
.			86400 IN NS yeti-ns.ix.ru.
.			86400 IN NS yeti-ns.lab.nic.cl.
.			86400 IN NS yeti-ns.tisf.net.
.			86400 IN NS yeti-ns.wide.ad.jp.
.			86400 IN NS yeti-ns.conit.co.
.			86400 IN NS yeti-ns.switch.ch.
.			86400 IN NS yeti-ns.as59715.net.
.			86400 IN NS yeti-ns1.dns-lab.net.
.			86400 IN NS yeti-ns2.dns-lab.net.
.			86400 IN NS yeti-ns3.dns-lab.net.
.			86400 IN NS yeti-dns01.dnsworkshop.org.
.			86400 IN NS 18ac3e7343f016890c510e93f93526.yeti-dns.
net.
.			86400 IN NS 2e7d2c03a9507ae265ecf5b5356885.yeti-dns.
net.
.			86400 IN NS 3e23e8160039594a33894f6564e1b1.yeti-dns.
net.
.			86400 IN NS 3f79bb7b435b05321651daefd374cd.yeti-dns.
net.
.			86400 IN NS ca978112ca1bbdcafac231b39a23dc.yeti-dns.
net.
.			86400 IN RRSIG NS 8 0 86400 (
				20160603050150 20160504050150 20454 .
				oXf6MeGVkVFcWu7iUdfx06LuD6CPGSpzJDpPc38hactA
				3fm9oIQ7K2vySs4V+xd4FXEwLML2jq0LlvZ9/bt8hDJM
				jXvF/6wszHu7i900Rtf+CpGt7cYe/yCuEVTJwNogpsyU
				v0xFs4LlpfVWYouMKG5uOUBu4qHOiR4R2ibqmZw= )

;; ADDITIONAL SECTION:
bii.dns-lab.net.	86400 IN AAAA 240c:f:1:22::6
yeti.bofh.priv.at.	86400 IN AAAA 2a01:4f8:161:6106:1::10
yeti.ipv6.ernet.in.	86400 IN AAAA 2001:e30:1c1e:1::333
yeti.aquaray.com.	86400 IN AAAA 2a02:ec0:200::1
dahu1.yeti.eu.org.	86400 IN AAAA 2001:4b98:dc2:45:216:3eff:fe4b:8c5b
dahu2.yeti.eu.org.	86400 IN AAAA 2001:67c:217c:6::2
ns-yeti.bondis.org.	86400 IN AAAA 2a02:2810:0:405::250
yeti-ns.ix.ru.		86400 IN AAAA 2001:6d0:6d06::53
yeti-ns.lab.nic.cl.	86400 IN AAAA 2001:1398:1:21::8001
yeti-ns.tisf.net.	86400 IN AAAA 2001:559:8000::6
yeti-ns.wide.ad.jp.	86400 IN AAAA 2001:200:1d9::35
yeti-ns.conit.co.	86400 IN AAAA 2604:6600:2000:11::4854:a010
yeti-ns.switch.ch.	86400 IN AAAA 2001:620:0:ff::29
yeti-ns.as59715.net.	86400 IN AAAA 2a02:cdc5:9715:0:185:5:203:53
yeti-ns1.dns-lab.net.	86400 IN AAAA 2001:da8:a3:a027::6
yeti-ns2.dns-lab.net.	86400 IN AAAA 2001:da8:268:4200::6
yeti-ns3.dns-lab.net.	86400 IN AAAA 2400:a980:30ff::6
yeti-dns01.dnsworkshop.org. 86400 IN AAAA 2001:1608:10:167:32e::53
18ac3e7343f016890c510e93f93526.yeti-dns.net. 86400 IN AAAA
2a05:78c0:0:2::3:6 2e7d2c03a9507ae265ecf5b5356885.yeti-dns.net. 86400 IN
AAAA 2400:8901:e001:39::6 3e23e8160039594a33894f6564e1b1.yeti-dns.net. 86400
IN AAAA 2803:80:1004:63::1 3f79bb7b435b05321651daefd374cd.yeti-dns.net.
86400 IN AAAA 2401:c900:1401:3b:c::6
ca978112ca1bbdcafac231b39a23dc.yeti-dns.net. 86400 IN AAAA 2c0f:f530::6

;; Query time: 23 msec
;; SERVER:
2001:4b98:dc2:45:216:3eff:fe4b:8c5b#53(2001:4b98:dc2:45:216:3eff:fe4b:8c5b)
;; WHEN: Wed May 04 10:58:40 CEST 2016
;; MSG SIZE  rcvd: 1558



_______________________________________________
discuss mailing list
discuss at lists.yeti-dns.org
http://lists.yeti-dns.org/mailman/listinfo/discuss





More information about the discuss mailing list