On June 16, 2010, I witnessed the generation of the first root zone key-signing key in the first key ceremony held by ICANN, the IANA functions operator, at its key ceremony facility in Culpeper, VA. I attest that the following DS record corresponds to the key generated at that ceremony:
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
The canonical location of the root zone trust anchor information is http://data.iana.org/root-anchors. Also included there are supporting material and explanatory documentation.
A PGP-signed version of this attestation is available here.
Matt Larson
July 16, 2010
Posted by Matt Larson at 1:21 pm on July 16th, 2010.
Categories: Uncategorized.
In this episode, Matt and Cricket reveal the first R-rated movies they saw and the circumstances in which they saw them. Oh, and they answer Rob Szarka’s question about the maximum number of NS records a zone can contain and Matt’s unnamed colleague’s question about why we need intrazone NS records at all. Then Matt gives us an insider’s look at the Root Zone’s Key Ceremony.
Podcast: Play in new window | Download
Posted by Cricket Liu at 2:37 am on July 13th, 2010.
Categories: DNSSEC, Episodes.
In this episode, for the first time ever, Matt and Cricket are joined by a dozen DNS dignitaries to answer a question from Alejandro Acosta about when to plug trust anchors into his name servers’ configurations and begin validating, and Bob Lee’s question about which tools to use to check his zone data and his name server’s configuration. Then they discuss DENIC’s recent Worst Day Ever after they published a truncated zone data file for .DE. And Mr. DNS is amazed to learn how many dynamic zone hosting services are blocked from China.
Mr. DNS sends special thanks to Dyn Inc. for their support of this Ask Mr. DNS episode. Dyn provided the venue, the equipment and their famous New England hospitality. Thanks also to all of the panelists for their good humor and participation.
Podcast: Play in new window | Download
Posted by Cricket Liu at 1:48 pm on May 21st, 2010.
Categories: DNSSEC, Episodes, Uncategorized.
In this episode, Matt and Cricket reminisce about G jobs and the Good Old Days at pre-Carly HP, and answer Noe Nevarez’s question about apparent timeouts in nslookup and Alan Shackelford’s question about the effect of signing a parent zone on its subzones. Then Matt plugs DNS-OARC in an act of contrition and proceeds to throw Cisco under the bus for offering an option in CNR that’s less than infrastructure-friendly. And finally – and somewhat predictably – the conversation veers off into movies featuring people who can’t form long-term memories (though, incredibly, they forget Dory in “Finding Nemo”!) and upcoming business travel.
Podcast: Play in new window | Download
Posted by Cricket Liu at 1:47 am on April 29th, 2010.
Categories: DNSSEC, Episodes.
In this episode – returning after an unintentional hiatus – Matt and Cricket touch the third rail of DNS security, the DNSSEC versus DNScurve debate, by answering Yiorgos Adamopoulos’s question. They also answer Shane Wegner’s question about minimal responses, Matt brings Cricket up to date on progress in the effort to sign the root zone (including a reference to slides by Duane Wessels from NANOG 48), and Matt describes a recent “brush with greatness.”
Podcast: Play in new window | Download
Posted by Cricket Liu at 3:44 pm on March 25th, 2010.
Categories: DNSSEC, Episodes.
For the first time ever, Matt and Cricket have a guest host, Duane Wessels, recently of DNS-OARC and now at VeriSign. Matt, Duane and Cricket answer Christoph Kluenter’s question about IPv6-only name servers, Rick Andrews’s question about how software distinguishes IP addresses from domain names, and Rainer Duffner’s question about whether Google is omniscient or just sneaky. In addition, Matt demonstrates his formidable command of Stanley Kubrick’s “2001: A Space Odyssey,” and both Matt and Cricket gush about author Neal Stephenson and his latest novel, “Anathem.”
Podcast: Play in new window | Download
Posted by Mr. DNS at 3:04 am on January 18th, 2010.
Categories: Episodes, IPv6, Resolvers.
In this episode, Matt and Cricket answer listener Paul Petersen’s question about how to register subdomains in country-code top-level domains around the world, and Ismael’s question about whether an RRSIG record’s signature validity can extend how long the signed RRset is cached. (And if you understood that last part, you probably don’t need this podcast.)
In addition, Matt and Cricket talk about the latest news in DNS, including the signing of the root zone, which Matt knows all about, and the introduction of (and uproar over) Google’s Public DNS service.
Though Matt contributes most of the technical answers, Cricket does score a small coup by remembering that the late Frank Gorshin played the half-blackfaced/half-whitefaced Bele in the original Star Trek episode “Let This Be Your Last Battlefield.”
Podcast: Play in new window | Download
Posted by Cricket Liu at 3:19 am on December 8th, 2009.
Categories: Episodes. Tags: ccTLD, delegation, DNSSEC, Google, registrar, root.
In Episode 11, Matt and Cricket manage to answer four (count ’em, four!) questions – except that they don’t really know the answer to Paul Roberts’s question about forwarding and delegation. However, in their own, inimitable style, they answer Yong Tak Ming’s question about forwarding, Samar’s question about how to configure his resolver so that he isn’t forced to type fully qualified domain names all the time, and Dirck Copeland’s questions about the Kaminsky vulnerability. And if you stay till the bitter end, you’ll learn where Matt and Cricket got their starts in DNS and why Cricket’s never seen a World Series game.
Podcast: Play in new window | Download
Posted by Cricket Liu at 3:21 pm on October 20th, 2009.
Categories: Episodes. Tags: delegation, Forwarding, Kaminsky, resolver, searchlist, Security, vulnerability.
In this episode, their triumphant Labor Day return to podcasting, Matt and Cricket answer Alfredo Colón’s question on hypothetical restrictions on the IP address that a domain name may map to, and then slap Austin Ekwebelam’s wrist for asking how to disable a useful extension like EDNS0. In the process, Cricket reveals how the host hp.com got its name and why he never made it further in HP’s IT organization.
Podcast: Play in new window | Download
Posted by Cricket Liu at 4:53 pm on September 11th, 2009.
Categories: Episodes. Tags: EDNS0.
In our ninth episode, Matt and Cricket answer listener Scott McClanahan’s excellent question about the “zone apex” and tell Duncan Hart what gear they use to produce the podcast and why it’s better than their old gear. Except that Matt fails to mention the name of the mic he uses. (It’s a Shure BG 4.1.)
As per usual, the discussion deteriorates into a windy exposition of how DNSSEC works, but you’ve come to expect that by now.
Podcast: Play in new window | Download
Posted by Cricket Liu at 8:41 pm on July 1st, 2009.
Categories: Episodes. Tags: apex, DNSSEC, gear, zone.
