From francisco en arias.com.mx Thu Jan 7 13:27:10 2010 From: francisco en arias.com.mx (Francisco Arias) Date: Thu, 7 Jan 2010 07:27:10 -0800 Subject: [LACNIC/Seguridad] Fwd: RSA-786 fractorized In-Reply-To: References: Message-ID: http://eprint.iacr.org/2010/006.pdf "On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve (NFS, [19]). The number RSA-768 was taken from the now obsolete RSA Challenge list [37] as a representative 768-bit RSA modulus (cf. [36]). This result is a record for factoring general integers. Factoring a 1024-bit RSA modulus would be about a thousand times harder, and a 768-bit RSA modulus is several thousands times harder to factor than a 512-bit one. Because the first factorization of a 512-bit RSA modulus was reported only a decade ago (cf. [7]) it is not unreasonable to expect that 1024-bit RSA moduli can be factored well within the next decade by an academic effort such as ours or the one in [7]. Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years." Saludos, Francisco. ---------- Forwarded message ---------- From: Lutz Donnerhacke Date: 2010/1/7 Subject: [dnssec-deployment] RSA-786 fractorized To: DNSSEC deployment A 786bit composite number was factorized using 80 CPUs over half an year. Please check if you are using such keys (as ZSKs?) and upgrade to 1024 asap. My personal opinion is to use 1024 bit keys for both ZSK and KSK and limit the lifetime to about a year for the KSK. http://eprint.iacr.org/2010/006.pdf http://www.iks-jena.de/Ueber-uns/News/RSA-786-gebrochen ############################################################# This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: A public archive is available here: < http://mail.shinkuro.com:8100/Lists/dnssec-deployment/> and older material is at ------------ próxima parte ------------ Se ha borrado un adjunto en formato HTML... URL: From francisco en arias.com.mx Thu Jan 14 17:02:54 2010 From: francisco en arias.com.mx (Francisco Arias) Date: Thu, 14 Jan 2010 14:02:54 -0500 Subject: [LACNIC/Seguridad] Fwd: Root Zone DNSSEC Deployment Technical Status Update In-Reply-To: <0A21E822-EF4E-4328-A9B7-69A11B949009@hopcount.ca> References: <0A21E822-EF4E-4328-A9B7-69A11B949009@hopcount.ca> Message-ID: Les transmito un mensaje de actualización sobre la firma de la zona raíz. Es de resaltar la publicación de varios documentos y el cambio de fecha para iniciar la publicación de la zona raíz firmada (aunque no verificable) en el serivor raíz L el 25 de enero próximo. Saludos, Francisco. ---------- Forwarded message ---------- From: Joe Abley Date: 2010/1/14 Subject: [dns-operations] Root Zone DNSSEC Deployment Technical Status Update To: dns-operations en mail.dns-oarc.net Cc: rootsign en icann.org This is the second of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS. Apologies if you receive multiple copies of this message. RESOURCES Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/. We'd like to hear from you. If you have feedback for us, please send it to rootsign en icann.org. DOCUMENTATION The following draft documents were recently published: - DNSSEC Deployment for the Root Zone - DNSSEC Trust Anchor Publication for the Root Zone The following documents are expected to be released as drafts within the next few weeks: - DNSSEC Test Plan for the Root Zone - KSK Holder DNSSEC Facility Requirements DEPLOYMENT STATUS A second KSR exchange between ICANN and VeriSign took place on 2009-12-28. Signing, validation, measurement and monitoring infrastructure continues to be tested. The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately-Unvalidatable Root Zone (DURZ), and subsequently by a conventionally-signed root zone. Discussion of the approach can be found in the document "DNSSEC Deployment for the Root Zone", as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings. Internal publication of the DURZ to root server operators began on 7 January 2010, to allow root server operators to do internal testing and to refine internal monitoring or other operational systems. Note that all root servers will continue to serve the unsigned root zone during this internal testing of the DURZ. Full packet capture exercises are planned by root server operators on 2010-01-13 and 2010-01-19, with data being uploaded to OARC's Day in the Life (DITL) infrastructure, in preparation for the full packet captures that will take place during L's DURZ transition. PLANNED DEPLOYMENT SCHEDULE The recently-published deployment plan contains target maintenance windows for each root server's transition to serve the DURZ. The date for the first such transition, on the L root server, has been deferred slightly to accommodate more extensive data capture and measurement testing by all root servers, and also to allow an NSD upgrade to be tested and deployed on L. ICANN plans to serve the DURZ on L-Root using NSD 3.2.4, which is better able to serve large DNS responses. See for more details. Week of 2010-01-25: L starts to serve DURZ Week of 2010-02-08: A starts to serve DURZ Week of 2010-03-01: M, I start to serve DURZ Week of 2010-03-22: D, K, E start to serve DURZ Week of 2010-04-12: B, H, C, G, F start to serve DURZ Week of 2010-05-03: J starts to serve DURZ 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor (Please note that this schedule is tentative and subject to change based on testing results or other unforseen factors.) _______________________________________________ dns-operations mailing list dns-operations en lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations ------------ próxima parte ------------ Se ha borrado un adjunto en formato HTML... URL: From carlos.martinez en csirt-antel.com.uy Tue Jan 19 16:38:43 2010 From: carlos.martinez en csirt-antel.com.uy (Carlos M. Martinez) Date: Tue, 19 Jan 2010 16:38:43 -0200 Subject: [LACNIC/Seguridad] 0-day en Internet Explorer Message-ID: <4B55FC33.5030000@csirt-antel.com.uy> Estimados, supongo que ya todos se han entereado de la vulnerabilidad de 0-day en Internet Explorer, que salto a a la fama a través de las denuncias públicas de Google sobre los ataques a activistas chinos. Les dejo un link a una valoración de riesgo realizada por un team de seguridad de Microsoft que puede resultar de utilidad. http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx Es de notar que la configuración más vulnerable de todas es la que utiliza Windows XP + Internet Explorer 6. slds Carlos -- Carlos M. Martinez - CSIRT-Antel T:+598-2-9282839 W:http://www.csirt-antel.com.uy PGP KeyID: 0xD51507A2 Montevideo, Uruguay From lhidalgo0204 en gmail.com Wed Jan 20 16:48:20 2010 From: lhidalgo0204 en gmail.com (Luis Hidalgo) Date: Wed, 20 Jan 2010 13:48:20 -0500 Subject: [LACNIC/Seguridad] =?iso-8859-1?q?Resumen_de_Seguridad=2C_Vol_44?= =?iso-8859-1?q?=2C_Env=EDo_3?= In-Reply-To: References: Message-ID: Estimados Amigos: Aparentemente existe algunas buenas noticias en donde es relativamente sencillo mitigar el problema, el cual consiste en *deshabilitar* el *soporte * para *aplicaciones de 16 bits* que se supone no será ningún problema para la mayoría de usuarios. Los pasos son los siguientes: Desde la consola de políticas (gpedit.msc) abrir "Configuración de equipo", "Plantillas administrativas", "Componentes de Windows", "Compatibilidad de aplicación" y habilitar la política "Impedir el acceso a aplicaciones de 16 bits". Es importante asegurarse de que es aplicada a los sistemas que dependen del controlador de dominio, forzando una actualización de políticas. Los vídeos publicados con cómo realizar esto (en inglés) desde la consola de políticas y aplicarlo a todos los clientes de un Directorio Activo están disponibles desde: *Windows Server 2003:* http://www.youtube.com/watch?v=XRVI4iQ2Nug *Windows Server 2008* http://www.youtube.com/watch?v=u8pfXW7crEQ *Para Windows XP:* http://www.youtube.com/watch?v=u7Y6d-BVwxk *Para sistemas más antiguos, como por ejemplo NT4* http://support.microsoft.com/kb/220159 Saludos Luis Hidalgo TERIS Lima - Perú 2010/1/20 > Envíe los mensajes para la lista Seguridad a > seguridad en lacnic.net > > Para subscribirse o anular su subscripción a través de la WEB > https://mail.lacnic.net/mailman/listinfo/seguridad > > O por correo electrónico, enviando un mensaje con el texto "help" en > el asunto (subject) o en el cuerpo a: > seguridad-request en lacnic.net > > Puede contactar con el responsable de la lista escribiendo a: > seguridad-owner en lacnic.net > > Si responde a algún contenido de este mensaje, por favor, edite la > linea del asunto (subject) para que el texto sea mas especifico que: > "Re: Contents of Seguridad digest...". Además, por favor, incluya en > la respuesta sólo aquellas partes del mensaje a las que está > respondiendo. > > > Asuntos del día: > > 1. 0-day en Internet Explorer (Carlos M. Martinez) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 19 Jan 2010 16:38:43 -0200 > From: "Carlos M. Martinez" > To: Lista para discusión de seguridad en redes y sistemas informaticos > de la región > Subject: [LACNIC/Seguridad] 0-day en Internet Explorer > Message-ID: <4B55FC33.5030000 en csirt-antel.com.uy> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Estimados, > > supongo que ya todos se han entereado de la vulnerabilidad de 0-day en > Internet Explorer, que salto a a la fama a través de las denuncias > públicas de Google sobre los ataques a activistas chinos. > > Les dejo un link a una valoración de riesgo realizada por un team de > seguridad de Microsoft que puede resultar de utilidad. > > > http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx > > Es de notar que la configuración más vulnerable de todas es la que > utiliza Windows XP + Internet Explorer 6. > > slds > > Carlos > -- > Carlos M. Martinez - CSIRT-Antel > T:+598-2-9282839 W:http://www.csirt-antel.com.uy > PGP KeyID: 0xD51507A2 > Montevideo, Uruguay > > > ------------------------------ > > _______________________________________________ > Seguridad mailing list > Seguridad en lacnic.net > https://mail.lacnic.net/mailman/listinfo/seguridad > > > Fin de Resumen de Seguridad, Vol 44, Envío 3 > ******************************************** > ------------ próxima parte ------------ Se ha borrado un adjunto en formato HTML... URL: From christian.quispe en ieee.org Wed Jan 20 17:32:57 2010 From: christian.quispe en ieee.org (Christian Quispe Quispe) Date: Wed, 20 Jan 2010 14:32:57 -0500 Subject: [LACNIC/Seguridad] =?iso-8859-1?q?Resumen_de_Seguridad=2C_Vol_44?= =?iso-8859-1?q?=2C_Env=EDo_3?= In-Reply-To: References: Message-ID: <59e2abc91001201132s6a2daa40u868c584b8f1af651@mail.gmail.com> Luis, ese problema con aplicaciones de 16 bits es otro 0day =). 0-day en Internet Explorer: Detrás de los ataques a grandes compañías http://www.hispasec.com/unaaldia/4101 http://www.pentester.es/2010/01/aurora-elevacion-de-privilegios.html Grave vulnerabilidad en Windows permite elevar privilegios http://www.hispasec.com/unaaldia/4106 http://seclists.org/fulldisclosure/2010/Jan/341 Saludos, Christian 2010/1/20 Luis Hidalgo > Estimados Amigos: > > Aparentemente existe algunas buenas noticias en donde es relativamente > sencillo mitigar el problema, el cual consiste en *deshabilitar* el * > soporte* para *aplicaciones de 16 bits* que se supone no será ningún > problema para la mayoría de usuarios. > > Los pasos son los siguientes: > > Desde la consola de políticas (gpedit.msc) abrir "Configuración de equipo", > "Plantillas administrativas", "Componentes de Windows", "Compatibilidad de > aplicación" y habilitar la política "Impedir el acceso a aplicaciones de 16 > bits". Es importante asegurarse de que > es aplicada a los sistemas que dependen del controlador de dominio, > forzando una actualización de políticas. > > Los vídeos publicados con cómo realizar esto (en inglés) desde la > consola de políticas y aplicarlo a todos los clientes de un Directorio > Activo están disponibles desde: > > *Windows Server 2003:* > http://www.youtube.com/watch?v=XRVI4iQ2Nug > > *Windows Server 2008* > http://www.youtube.com/watch?v=u8pfXW7crEQ > > *Para Windows XP:* > http://www.youtube.com/watch?v=u7Y6d-BVwxk > > *Para sistemas más antiguos, como por ejemplo NT4* > http://support.microsoft.com/kb/220159 > > > Saludos > Luis Hidalgo > TERIS > Lima - Perú > > > 2010/1/20 > >> Envíe los mensajes para la lista Seguridad a >> seguridad en lacnic.net >> >> Para subscribirse o anular su subscripción a través de la WEB >> https://mail.lacnic.net/mailman/listinfo/seguridad >> >> O por correo electrónico, enviando un mensaje con el texto "help" en >> el asunto (subject) o en el cuerpo a: >> seguridad-request en lacnic.net >> >> Puede contactar con el responsable de la lista escribiendo a: >> seguridad-owner en lacnic.net >> >> Si responde a algún contenido de este mensaje, por favor, edite la >> linea del asunto (subject) para que el texto sea mas especifico que: >> "Re: Contents of Seguridad digest...". Además, por favor, incluya en >> la respuesta sólo aquellas partes del mensaje a las que está >> respondiendo. >> >> >> Asuntos del día: >> >> 1. 0-day en Internet Explorer (Carlos M. Martinez) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Tue, 19 Jan 2010 16:38:43 -0200 >> From: "Carlos M. Martinez" >> To: Lista para discusión de seguridad en redes y sistemas informaticos >> de la región >> Subject: [LACNIC/Seguridad] 0-day en Internet Explorer >> Message-ID: <4B55FC33.5030000 en csirt-antel.com.uy> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> Estimados, >> >> supongo que ya todos se han entereado de la vulnerabilidad de 0-day en >> Internet Explorer, que salto a a la fama a través de las denuncias >> públicas de Google sobre los ataques a activistas chinos. >> >> Les dejo un link a una valoración de riesgo realizada por un team de >> seguridad de Microsoft que puede resultar de utilidad. >> >> >> http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx >> >> Es de notar que la configuración más vulnerable de todas es la que >> utiliza Windows XP + Internet Explorer 6. >> >> slds >> >> Carlos >> -- >> Carlos M. Martinez - CSIRT-Antel >> T:+598-2-9282839 W:http://www.csirt-antel.com.uy >> PGP KeyID: 0xD51507A2 >> Montevideo, Uruguay >> >> >> ------------------------------ >> >> _______________________________________________ >> Seguridad mailing list >> Seguridad en lacnic.net >> https://mail.lacnic.net/mailman/listinfo/seguridad >> >> >> Fin de Resumen de Seguridad, Vol 44, Envío 3 >> ******************************************** >> > > _______________________________________________ > Seguridad mailing list > Seguridad en lacnic.net > https://mail.lacnic.net/mailman/listinfo/seguridad > > ------------ próxima parte ------------ Se ha borrado un adjunto en formato HTML... URL: From carlos.martinez en csirt-antel.com.uy Thu Jan 21 10:53:35 2010 From: carlos.martinez en csirt-antel.com.uy (Carlos M. Martinez) Date: Thu, 21 Jan 2010 10:53:35 -0200 Subject: [LACNIC/Seguridad] =?iso-8859-1?q?Resumen_de_Seguridad=2C_Vol_44?= =?iso-8859-1?q?=2C_Env=EDo_3?= In-Reply-To: <59e2abc91001201132s6a2daa40u868c584b8f1af651@mail.gmail.com> References: <59e2abc91001201132s6a2daa40u868c584b8f1af651@mail.gmail.com> Message-ID: <4B584E4F.6010308@csirt-antel.com.uy> Si, efectivamente son dos problemas independientes. Dos 0-days en una semana para Microsoft. El de las aplicaciones de 16 bits es (aparentemente) de mitigación sencilla. On 1/20/10 5:32 PM, Christian Quispe Quispe wrote: > Luis, > ese problema con aplicaciones de 16 bits es otro 0day =). > > 0-day en Internet Explorer: Detrás de los ataques a grandes compañías > http://www.hispasec.com/unaaldia/4101 > http://www.pentester.es/2010/01/aurora-elevacion-de-privilegios.html > > Grave vulnerabilidad en Windows permite elevar privilegios > http://www.hispasec.com/unaaldia/4106 > http://seclists.org/fulldisclosure/2010/Jan/341 > > Saludos, > > Christian > > > > 2010/1/20 Luis Hidalgo > > > Estimados Amigos: > > Aparentemente existe algunas buenas noticias en donde es > relativamente sencillo mitigar el problema, el cual consiste en > *deshabilitar* el *soporte* para *aplicaciones de 16 bits* que se > supone no será ningún problema para la mayoría de usuarios. > > Los pasos son los siguientes: > > Desde la consola de políticas (gpedit.msc) abrir "Configuración de > equipo", "Plantillas administrativas", "Componentes de Windows", > "Compatibilidad de aplicación" y habilitar la política "Impedir el > acceso a aplicaciones de 16 bits". Es importante asegurarse de que > es aplicada a los sistemas que dependen del controlador de dominio, > forzando una actualización de políticas. > > Los vídeos publicados con cómo realizar esto (en inglés) desde la > consola de políticas y aplicarlo a todos los clientes de un Directorio > Activo están disponibles desde: > > *Windows Server 2003:* > http://www.youtube.com/watch?v=XRVI4iQ2Nug > > *Windows Server 2008* > http://www.youtube.com/watch?v=u8pfXW7crEQ > > *Para Windows XP:* > http://www.youtube.com/watch?v=u7Y6d-BVwxk > > *Para sistemas más antiguos, como por ejemplo NT4* > http://support.microsoft.com/kb/220159 > > > Saludos > Luis Hidalgo > TERIS > Lima - Perú > > > 2010/1/20

> > > Envíe los mensajes para la lista Seguridad a > seguridad en lacnic.net > > Para subscribirse o anular su subscripción a través de la WEB > https://mail.lacnic.net/mailman/listinfo/seguridad > > O por correo electrónico, enviando un mensaje con el texto "help" en > el asunto (subject) o en el cuerpo a: > seguridad-request en lacnic.net > > > Puede contactar con el responsable de la lista escribiendo a: > seguridad-owner en lacnic.net > > > Si responde a algún contenido de este mensaje, por favor, edite la > linea del asunto (subject) para que el texto sea mas especifico que: > "Re: Contents of Seguridad digest...". Además, por favor, incluya en > la respuesta sólo aquellas partes del mensaje a las que está > respondiendo. > > > Asuntos del día: > > 1. 0-day en Internet Explorer (Carlos M. Martinez) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 19 Jan 2010 16:38:43 -0200 > From: "Carlos M. Martinez" > > To: Lista para discusión de seguridad en redes y sistemas > informaticos > de la región > > Subject: [LACNIC/Seguridad] 0-day en Internet Explorer > Message-ID: <4B55FC33.5030000 en csirt-antel.com.uy > > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Estimados, > > supongo que ya todos se han entereado de la vulnerabilidad de > 0-day en > Internet Explorer, que salto a a la fama a través de las denuncias > públicas de Google sobre los ataques a activistas chinos. > > Les dejo un link a una valoración de riesgo realizada por un team de > seguridad de Microsoft que puede resultar de utilidad. > > http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx > > Es de notar que la configuración más vulnerable de todas es la que > utiliza Windows XP + Internet Explorer 6. > > slds > > Carlos > -- > Carlos M. Martinez - CSIRT-Antel > T:+598-2-9282839 W:http://www.csirt-antel.com.uy > PGP KeyID: 0xD51507A2 > Montevideo, Uruguay > > > ------------------------------ > > _______________________________________________ > Seguridad mailing list > Seguridad en lacnic.net > https://mail.lacnic.net/mailman/listinfo/seguridad > > > Fin de Resumen de Seguridad, Vol 44, Envío 3 > ******************************************** > > > _______________________________________________ > Seguridad mailing list > Seguridad en lacnic.net > https://mail.lacnic.net/mailman/listinfo/seguridad > > > > > _______________________________________________ > Seguridad mailing list > Seguridad en lacnic.net > https://mail.lacnic.net/mailman/listinfo/seguridad -- Carlos M. Martinez - CSIRT-Antel T:+598-2-9282839 W:http://www.csirt-antel.com.uy PGP KeyID: 0xD51507A2 Montevideo, Uruguay From christian.oflaherty en gmail.com Tue Jan 26 11:26:48 2010 From: christian.oflaherty en gmail.com (Christian O'Flaherty) Date: Tue, 26 Jan 2010 11:26:48 -0200 Subject: [LACNIC/Seguridad] Fwd: Root Zone DNSSEC Deployment Technical Status Update In-Reply-To: References: <0A21E822-EF4E-4328-A9B7-69A11B949009@hopcount.ca> Message-ID: <81ffbdca1001260526t2978247bp26087ce527a4a5dc@mail.gmail.com> Hola Francisco, Qué pasó con la Firma? Chris 2010/1/14 Francisco Arias : > Les transmito un mensaje de actualización sobre la firma de la zona raíz. Es > de resaltar la publicación de varios documentos y el cambio de fecha para > iniciar la publicación de la zona raíz firmada (aunque no verificable) en el > serivor raíz L el 25 de enero próximo. > > Saludos, > > Francisco. > > > ---------- Forwarded message ---------- > From: Joe Abley > Date: 2010/1/14 > Subject: [dns-operations] Root Zone DNSSEC Deployment Technical Status > Update > To: dns-operations en mail.dns-oarc.net > Cc: rootsign en icann.org > > > This is the second of a series of technical status updates intended > to inform a technical audience on progress in signing the root zone > of the DNS. Apologies if you receive multiple copies of this message. > > > RESOURCES > > Details of the project, including documentation published to date, > can be found at http://www.root-dnssec.org/. > > We'd like to hear from you. If you have feedback for us, please > send it to rootsign en icann.org. > > > DOCUMENTATION > > The following draft documents were recently published: > > - DNSSEC Deployment for the Root Zone > > - DNSSEC Trust Anchor Publication for the Root Zone > > The following documents are expected to be released as drafts within > the next few weeks: > > - DNSSEC Test Plan for the Root Zone > > - KSK Holder DNSSEC Facility Requirements > > > DEPLOYMENT STATUS > > A second KSR exchange between ICANN and VeriSign took place on > 2009-12-28. Signing, validation, measurement and monitoring > infrastructure continues to be tested. > > The incremental deployment of DNSSEC in the Root Zone is being > carried out first by serving a Deliberately-Unvalidatable Root Zone > (DURZ), and subsequently by a conventionally-signed root zone. > Discussion of the approach can be found in the document "DNSSEC > Deployment for the Root Zone", as well as in the technical presentations > delivered at RIPE, NANOG, IETF and ICANN meetings. > > Internal publication of the DURZ to root server operators began on > 7 January 2010, to allow root server operators to do internal testing > and to refine internal monitoring or other operational systems. > Note that all root servers will continue to serve the unsigned root > zone during this internal testing of the DURZ. > > Full packet capture exercises are planned by root server operators > on 2010-01-13 and 2010-01-19, with data being uploaded to OARC's > Day in the Life (DITL) infrastructure, in preparation for the full > packet captures that will take place during L's DURZ transition. > > > PLANNED DEPLOYMENT SCHEDULE > > The recently-published deployment plan contains target maintenance > windows for each root server's transition to serve the DURZ. The > date for the first such transition, on the L root server, has been > deferred slightly to accommodate more extensive data capture and > measurement testing by all root servers, and also to allow an NSD > upgrade to be tested and deployed on L. > > ICANN plans to serve the DURZ on L-Root using NSD 3.2.4, which is > better able to serve large DNS responses. See > for more details. > > Week of 2010-01-25: L starts to serve DURZ > > Week of 2010-02-08: A starts to serve DURZ > > Week of 2010-03-01: M, I start to serve DURZ > > Week of 2010-03-22: D, K, E start to serve DURZ > > Week of 2010-04-12: B, H, C, G, F start to serve DURZ > > Week of 2010-05-03: J starts to serve DURZ > > 2010-07-01: Distribution of validatable, production, signed root > zone; publication of root zone trust anchor > > (Please note that this schedule is tentative and subject to change > based on testing results or other unforseen factors.) > > _______________________________________________ > dns-operations mailing list > dns-operations en lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > > _______________________________________________ > Seguridad mailing list > Seguridad en lacnic.net > https://mail.lacnic.net/mailman/listinfo/seguridad > > From francisco en arias.com.mx Tue Jan 26 16:45:04 2010 From: francisco en arias.com.mx (Francisco Arias) Date: Tue, 26 Jan 2010 10:45:04 -0800 Subject: [LACNIC/Seguridad] Fwd: Root Zone DNSSEC Deployment Technical Status Update In-Reply-To: <81ffbdca1001260526t2978247bp26087ce527a4a5dc@mail.gmail.com> References: <0A21E822-EF4E-4328-A9B7-69A11B949009@hopcount.ca> <81ffbdca1001260526t2978247bp26087ce527a4a5dc@mail.gmail.com> Message-ID: Pensé que había reenviado el último mensaje, pero aparentemente no lo hice, aquí va. Básicamente la zona raíz aparecerá firmada (aunque inverificable), por primera vez, en el servidor raíz L mañana 27 de febrero entre las 18:00 - 20:00 UTC. Saludos, Francisco. ---------- Forwarded message ---------- From: Mehmet Akcin To: Mehmet Akcin Date: Mon, 25 Jan 2010 01:56:56 -0800 Subject: L-Root Maintenance 2010-01-27 1800 UTC - 2000 UTC Hi As part of staged, incremental deployment of DNSSEC in the root zone L-Root will begin serving a Deliberately Unvalidatable Root Zone (DURZ) after the completion of its scheduled maintenance at 2010-01-27 1800 UTC - 2000 UTC Please contact L-Root NOC via noc en dns.icann.org or T: +1.310.301.5817 if you have any questions. Please contact with rootsign en icann.org if you have any questions regarding DNSSEC Deployment at root zone. Regards Joe Abley / Mehmet Akcin / Dave Knight ICANN DNS Ops / L-ROOT ------- 2010/1/26 Christian O'Flaherty > Hola Francisco, > > Qué pasó con la Firma? > > Chris > > 2010/1/14 Francisco Arias : > > Les transmito un mensaje de actualización sobre la firma de la zona raíz. > Es > > de resaltar la publicación de varios documentos y el cambio de fecha para > > iniciar la publicación de la zona raíz firmada (aunque no verificable) en > el > > serivor raíz L el 25 de enero próximo. > > > > Saludos, > > > > Francisco. > > > > > > ---------- Forwarded message ---------- > > From: Joe Abley > > Date: 2010/1/14 > > Subject: [dns-operations] Root Zone DNSSEC Deployment Technical Status > > Update > > To: dns-operations en mail.dns-oarc.net > > Cc: rootsign en icann.org > > > > > > This is the second of a series of technical status updates intended > > to inform a technical audience on progress in signing the root zone > > of the DNS. Apologies if you receive multiple copies of this message. > > > > > > RESOURCES > > > > Details of the project, including documentation published to date, > > can be found at http://www.root-dnssec.org/. > > > > We'd like to hear from you. If you have feedback for us, please > > send it to rootsign en icann.org. > > > > > > DOCUMENTATION > > > > The following draft documents were recently published: > > > > - DNSSEC Deployment for the Root Zone > > > > - DNSSEC Trust Anchor Publication for the Root Zone > > > > The following documents are expected to be released as drafts within > > the next few weeks: > > > > - DNSSEC Test Plan for the Root Zone > > > > - KSK Holder DNSSEC Facility Requirements > > > > > > DEPLOYMENT STATUS > > > > A second KSR exchange between ICANN and VeriSign took place on > > 2009-12-28. Signing, validation, measurement and monitoring > > infrastructure continues to be tested. > > > > The incremental deployment of DNSSEC in the Root Zone is being > > carried out first by serving a Deliberately-Unvalidatable Root Zone > > (DURZ), and subsequently by a conventionally-signed root zone. > > Discussion of the approach can be found in the document "DNSSEC > > Deployment for the Root Zone", as well as in the technical presentations > > delivered at RIPE, NANOG, IETF and ICANN meetings. > > > > Internal publication of the DURZ to root server operators began on > > 7 January 2010, to allow root server operators to do internal testing > > and to refine internal monitoring or other operational systems. > > Note that all root servers will continue to serve the unsigned root > > zone during this internal testing of the DURZ. > > > > Full packet capture exercises are planned by root server operators > > on 2010-01-13 and 2010-01-19, with data being uploaded to OARC's > > Day in the Life (DITL) infrastructure, in preparation for the full > > packet captures that will take place during L's DURZ transition. > > > > > > PLANNED DEPLOYMENT SCHEDULE > > > > The recently-published deployment plan contains target maintenance > > windows for each root server's transition to serve the DURZ. The > > date for the first such transition, on the L root server, has been > > deferred slightly to accommodate more extensive data capture and > > measurement testing by all root servers, and also to allow an NSD > > upgrade to be tested and deployed on L. > > > > ICANN plans to serve the DURZ on L-Root using NSD 3.2.4, which is > > better able to serve large DNS responses. See > > for more details. > > > > Week of 2010-01-25: L starts to serve DURZ > > > > Week of 2010-02-08: A starts to serve DURZ > > > > Week of 2010-03-01: M, I start to serve DURZ > > > > Week of 2010-03-22: D, K, E start to serve DURZ > > > > Week of 2010-04-12: B, H, C, G, F start to serve DURZ > > > > Week of 2010-05-03: J starts to serve DURZ > > > > 2010-07-01: Distribution of validatable, production, signed root > > zone; publication of root zone trust anchor > > > > (Please note that this schedule is tentative and subject to change > > based on testing results or other unforseen factors.) > > > > _______________________________________________ > > dns-operations mailing list > > dns-operations en lists.dns-oarc.net > > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > > > > > _______________________________________________ > > Seguridad mailing list > > Seguridad en lacnic.net > > https://mail.lacnic.net/mailman/listinfo/seguridad > > > > > _______________________________________________ > Seguridad mailing list > Seguridad en lacnic.net > https://mail.lacnic.net/mailman/listinfo/seguridad > ------------ próxima parte ------------ Se ha borrado un adjunto en formato HTML... URL: From francisco en arias.com.mx Wed Jan 27 17:15:14 2010 From: francisco en arias.com.mx (Francisco Arias) Date: Wed, 27 Jan 2010 11:15:14 -0800 Subject: [LACNIC/Seguridad] [lacnog] L-Root Maintenance 2010-01-27 1800 UTC - 2000 UTC In-Reply-To: References: Message-ID: Ya es visible la llave (no verificable) de la raíz firmada: $ dig +short @199.7.83.42 . dnskey 256 3 8 AwEAAa1Lh++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++++++++++++++++++++++++++++++++++++++++ +++++++8 257 3 8 AwEAAawBe++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++8= ... y por supuesto la zona raíz firmada en general. Saludos, Francisco. 2010/1/27 Mehmet Akcin > Hello World, > > L-Root has completed it's maintenance and now serving DURZ. > > You can observe L-Root DSC Stats by visiting > http://stats.l.root-servers.org > > Please contact L-Root NOC via email noc en dns.icann.org or T: > +1.310.301.5817 > if you have any questions > > Please contact rootsign en icann.org if you have any questions regarding > DNSSEC > Deployment at root zone. > > Joe Abley / Mehmet Akcin / Dave Knight > ICANN DNS Ops / L-ROOT / AS20144 / AS-LROOT > Peering info: http://as20144.peeringdb.com > > > On 1/27/10 12:31 PM, "Mehmet Akcin" wrote: > > > Hello, > > > > L-Root maintenance is starting in 30 mins ( 2010-01-27 1800 UTC ) > > > > Regards > > > > Joe Abley / Mehmet Akcin / Dave Knight > > ICANN DNS Ops / L-ROOT > > > >>> Hi > >>> > >>> As part of staged, incremental deployment of DNSSEC in the root > >>> zone L-Root will begin serving a Deliberately Unvalidatable > >>> Root Zone (DURZ) after the completion of its scheduled > >>> maintenance at 2010-01-27 1800 UTC - 2000 UTC > >>> > >>> Please contact L-Root NOC via noc en dns.icann.org or > >>> T: +1.310.301.5817 if you have any questions. > >>> > >>> Please contact with rootsign en icann.org if you have any > >>> questions regarding DNSSEC Deployment at root zone. > > > > > > > > > > _______________________________________________ > > LACNOG mailing list > > LACNOG en lacnic.net > > https://mail.lacnic.net/mailman/listinfo/lacnog > > _______________________________________________ > LACNOG mailing list > LACNOG en lacnic.net > https://mail.lacnic.net/mailman/listinfo/lacnog > ------------ próxima parte ------------ Se ha borrado un adjunto en formato HTML... URL: