FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 11-20-2009, 10:29 PM
Stephen John Smoogen
 
Default DNSSEC and Geodns

On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> Nothing's ever easy, is it?
>
> So I got pdns up and going this afternoon with it's geo back end. *It's
> working as expected and everything is good. *The problem is pdns's dnssec
> implementation is... *not particularly mature or really even usable AFAIK
> with geodns.
>
> Anyone out there doing both geo location and dnssec with their name
> servers?

Not really. Most places I know do not do dns-sec (either waiting until
.com/.org is signed or until its required) or if they are doing
dns-sec aren't doing geoip. The solutions that comes to mind would be
to have the geoip code in an unsigned sub-zone. Its not great but
until 2011 I don't see it being much better.


> * * * *-Mike
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>



--
Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-21-2009, 02:13 AM
Mike McGrath
 
Default DNSSEC and Geodns

On Fri, 20 Nov 2009, Stephen John Smoogen wrote:

> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> > Nothing's ever easy, is it?
> >
> > So I got pdns up and going this afternoon with it's geo back end. *It's
> > working as expected and everything is good. *The problem is pdns's dnssec
> > implementation is... *not particularly mature or really even usable AFAIK
> > with geodns.
> >
> > Anyone out there doing both geo location and dnssec with their name
> > servers?
>
> Not really. Most places I know do not do dns-sec (either waiting until
> .com/.org is signed or until its required) or if they are doing
> dns-sec aren't doing geoip. The solutions that comes to mind would be
> to have the geoip code in an unsigned sub-zone. Its not great but
> until 2011 I don't see it being much better.
>

Ugh, I really don't want to have to choose, nb did great work with getting
dnssec going.

-Mike______________________________________________ _
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-21-2009, 02:18 AM
Stephen John Smoogen
 
Default DNSSEC and Geodns

On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
>
>> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
>> > Nothing's ever easy, is it?
>> >
>> > So I got pdns up and going this afternoon with it's geo back end. *It's
>> > working as expected and everything is good. *The problem is pdns's dnssec
>> > implementation is... *not particularly mature or really even usable AFAIK
>> > with geodns.
>> >
>> > Anyone out there doing both geo location and dnssec with their name
>> > servers?
>>
>> Not really. Most places I know do not do dns-sec (either waiting until
>> .com/.org is signed or until its required) or if they are doing
>> dns-sec aren't doing geoip. The solutions that comes to mind would be
>> to have the geoip code in an unsigned sub-zone. Its not great but
>> until 2011 I don't see it being much better.
>>
>
> Ugh, I really don't want to have to choose, nb did great work with getting
> dnssec going.

I would only do it for a subzone and not for the main one. Basically
have ns1/ns2 have the signed zones and the subzones on another one.



--
Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-21-2009, 02:27 AM
Nigel Jones
 
Default DNSSEC and Geodns

On Sat, Nov 21, 2009 at 1:18 PM, Stephen John Smoogen <smooge@gmail.com> wrote:
> On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
>> On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
>>
>>> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
>>> > Nothing's ever easy, is it?
>>> >
>>> > So I got pdns up and going this afternoon with it's geo back end. *It's
>>> > working as expected and everything is good. *The problem is pdns's dnssec
>>> > implementation is... *not particularly mature or really even usable AFAIK
>>> > with geodns.
>>> >
>>> > Anyone out there doing both geo location and dnssec with their name
>>> > servers?
>>>
>>> Not really. Most places I know do not do dns-sec (either waiting until
>>> .com/.org is signed or until its required) or if they are doing
>>> dns-sec aren't doing geoip. The solutions that comes to mind would be
>>> to have the geoip code in an unsigned sub-zone. Its not great but
>>> until 2011 I don't see it being much better.
>>>
>>
>> Ugh, I really don't want to have to choose, nb did great work with getting
>> dnssec going.
>
> I would only do it for a subzone and not for the main one. Basically
> have ns1/ns2 have the signed zones and the subzones on another one.
Surely this is going to increase the time needed for clients to
perform DNS lookups on the content we got GEO-Located (i.e.
fedoraproject.org/admin.fedoraproject.org)

- Nigel

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-21-2009, 02:36 AM
Stephen John Smoogen
 
Default DNSSEC and Geodns

On Fri, Nov 20, 2009 at 8:27 PM, Nigel Jones <dev@nigelj.com> wrote:
> On Sat, Nov 21, 2009 at 1:18 PM, Stephen John Smoogen <smooge@gmail.com> wrote:
>> On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath@redhat.com> wrote:

>>> Ugh, I really don't want to have to choose, nb did great work with getting
>>> dnssec going.
>>
>> I would only do it for a subzone and not for the main one. Basically
>> have ns1/ns2 have the signed zones and the subzones on another one.
> Surely this is going to increase the time needed for clients to
> perform DNS lookups on the content we got GEO-Located (i.e.
> fedoraproject.org/admin.fedoraproject.org)

Usually the time is really pretty small.

> - Nigel
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>



--
Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-21-2009, 02:49 AM
Jeffrey Ollie
 
Default DNSSEC and Geodns

On Fri, Nov 20, 2009 at 4:09 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> Nothing's ever easy, is it?
>
> So I got pdns up and going this afternoon with it's geo back end. *It's
> working as expected and everything is good. *The problem is pdns's dnssec
> implementation is... *not particularly mature or really even usable AFAIK
> with geodns.
>
> Anyone out there doing both geo location and dnssec with their name
> servers?

Hmm... not sure if this rates as a 'clever' or 'ugly' hack:

http://phix.me/geodns/

--
Jeff Ollie

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-21-2009, 03:09 AM
Mike McGrath
 
Default DNSSEC and Geodns

On Fri, 20 Nov 2009, Stephen John Smoogen wrote:

> On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> > On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
> >
> >> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> >> > Nothing's ever easy, is it?
> >> >
> >> > So I got pdns up and going this afternoon with it's geo back end. *It's
> >> > working as expected and everything is good. *The problem is pdns's dnssec
> >> > implementation is... *not particularly mature or really even usable AFAIK
> >> > with geodns.
> >> >
> >> > Anyone out there doing both geo location and dnssec with their name
> >> > servers?
> >>
> >> Not really. Most places I know do not do dns-sec (either waiting until
> >> .com/.org is signed or until its required) or if they are doing
> >> dns-sec aren't doing geoip. The solutions that comes to mind would be
> >> to have the geoip code in an unsigned sub-zone. Its not great but
> >> until 2011 I don't see it being much better.
> >>
> >
> > Ugh, I really don't want to have to choose, nb did great work with getting
> > dnssec going.
>
> I would only do it for a subzone and not for the main one. Basically
> have ns1/ns2 have the signed zones and the subzones on another one.
>

So, for example 'fedoraproject.org' wouldn't be signed, but
'us.fedoraproject.org' would be? I *think* that's possible but I haven't
gotten it to work. If I can get that to work though I guess that makes
sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
will continue to mature.

-Mike______________________________________________ _
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-21-2009, 03:22 AM
Mike McGrath
 
Default DNSSEC and Geodns

On Fri, 20 Nov 2009, Mike McGrath wrote:

> On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
>
> > On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> > > On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
> > >
> > >> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> > >> > Nothing's ever easy, is it?
> > >> >
> > >> > So I got pdns up and going this afternoon with it's geo back end. *It's
> > >> > working as expected and everything is good. *The problem is pdns's dnssec
> > >> > implementation is... *not particularly mature or really even usable AFAIK
> > >> > with geodns.
> > >> >
> > >> > Anyone out there doing both geo location and dnssec with their name
> > >> > servers?
> > >>
> > >> Not really. Most places I know do not do dns-sec (either waiting until
> > >> .com/.org is signed or until its required) or if they are doing
> > >> dns-sec aren't doing geoip. The solutions that comes to mind would be
> > >> to have the geoip code in an unsigned sub-zone. Its not great but
> > >> until 2011 I don't see it being much better.
> > >>
> > >
> > > Ugh, I really don't want to have to choose, nb did great work with getting
> > > dnssec going.
> >
> > I would only do it for a subzone and not for the main one. Basically
> > have ns1/ns2 have the signed zones and the subzones on another one.
> >
>
> So, for example 'fedoraproject.org' wouldn't be signed, but
> 'us.fedoraproject.org' would be? I *think* that's possible but I haven't
> gotten it to work. If I can get that to work though I guess that makes
> sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
> will continue to mature.
>

I should explain this to people not familiar with pdns with the geo
backend (as I was unfamiliar about 12 hours ago

right now I've got powerdns to literally pull from our normal bind configs
(with a few modifications). pdns uses this for most of it's data. But
the geo ip lookups would happen prior to the bind lookups and the way it's
setup now would return a cname. So, depending on where you are located
and how we set things up. 'fedoraproject.org' would point to
us.fedoraproject.org or de.fedoraproject.org or maybe even na or
eu.fedoraproject.org.

AFAIK, that cname can't be signed with the way pdns currently works.
*however* I think what the cname points to could be signed. I'm not sure
if this completely bypasses what dnssec would get us or not but I suspect
it's the a record signings that are the most important.

Thoughts?

-Mike______________________________________________ _
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-21-2009, 03:27 AM
Stephen John Smoogen
 
Default DNSSEC and Geodns

On Fri, Nov 20, 2009 at 9:09 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
>
>> On Fri, Nov 20, 2009 at 8:13 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
>> > On Fri, 20 Nov 2009, Stephen John Smoogen wrote:
>> >
>> >> On Fri, Nov 20, 2009 at 3:09 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
>> >> > Nothing's ever easy, is it?
>> >> >
>> >> > So I got pdns up and going this afternoon with it's geo back end. *It's
>> >> > working as expected and everything is good. *The problem is pdns's dnssec
>> >> > implementation is... *not particularly mature or really even usable AFAIK
>> >> > with geodns.
>> >> >
>> >> > Anyone out there doing both geo location and dnssec with their name
>> >> > servers?
>> >>
>> >> Not really. Most places I know do not do dns-sec (either waiting until
>> >> .com/.org is signed or until its required) or if they are doing
>> >> dns-sec aren't doing geoip. The solutions that comes to mind would be
>> >> to have the geoip code in an unsigned sub-zone. Its not great but
>> >> until 2011 I don't see it being much better.
>> >>
>> >
>> > Ugh, I really don't want to have to choose, nb did great work with getting
>> > dnssec going.
>>
>> I would only do it for a subzone and not for the main one. Basically
>> have ns1/ns2 have the signed zones and the subzones on another one.
>>
>
> So, for example 'fedoraproject.org' wouldn't be signed, but
> 'us.fedoraproject.org' would be? *I *think* that's possible but I haven't
> gotten it to work. *If I can get that to work though I guess that makes
> sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
> will continue to mature.

I meant more like fedoraproject.org would be signed
xxx.mirrors.fedoraproject.org wouldn't be. But now I see that doens't
cover the items we have.





--
Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-21-2009, 03:28 AM
Jeffrey Ollie
 
Default DNSSEC and Geodns

On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
>
> So, for example 'fedoraproject.org' wouldn't be signed, but
> 'us.fedoraproject.org' would be? *I *think* that's possible but I haven't
> gotten it to work. *If I can get that to work though I guess that makes
> sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
> will continue to mature.

No, that wouldn't really work, because then you couldn't trust lookups
from the fedoraproject.org zone, which would include delegations to
the subdomains, the main website itself, MX records, etc.

--
Jeff Ollie

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 

Thread Tools




All times are GMT. The time now is 05:04 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org