Latest posts.

Do you have a question for Mr. DNS?

If you have a question about DNS for Mr. DNS, he’d love to hear it. Drop him a line at mrdns@ask-mrdns.com.

Episode 52

In this episode, number 52 (cards in a deck! And just wait till we hit 53, which has special significance!), Matt and Cricket are joined by a pantheon of the gods of DNS.  However, since they neglected to ask any of the speakers to introduce themselves, you’ll just have to guess, Band Aid “Do They Know It’s Christmas”-style, who’s who.  (Olafur’s basically a gimme–our Boy George or Bono.)  We answer David Mar’s question about how to learn the basics of DNS and then recap some of the topics of the Inside Baseball meeting we’d been attending, graciously hosted by Salesforce and organized by Allison Mankin & company.

Play

Episode 51

In this episode, number 51, Matt and Cricket are joined by Kyle York and Joe Abley, respectively the Chief Strategy Officer and we-don’t-know-what of Dyn.  Kyle and Joe ably (ha!) fill in some of the details on the DDoS attack against Dyn on October 21 of last year.  And Kyle brags about the Patriots “dynasty,” which for three quarters sure looked like the pride that cometh before a fall, but holy cow!  Oh, and the guys jointly answer a question from Grant Taylor about a clever-but-frankly-awful way of adding a CNAME record to the apex of your zone and read a correction from Håkan Lindqvist about using underscores in certain fields of a cert.

Play

Episode 50

In this episode, the 50th–their golden episode!–Matt and Cricket are joined by Dan York of the Internet Society, who brings them up to date on DNSSEC adoption.  Then the trio answer questions from Matt’s former colleague Rick Andrews about the use of underscores in domain names and from Ben Dash about how some companies get around the prohibition against adding CNAME records to zone apexes.  Apices.  Whatever.

Play

Episode 49

Cricket and Matt took advantage of being in the same place for once to record the podcast, though that doesn’t stop us from forgetting which episode number we’re actually recording.  We answer four questions on subjects relating to SPF, DNSSEC, /etc/host.conf and authoritative server selection by recursive name servers.  On that last topic, Matt refers to research on server selection he contributed to and promised a link to the paper in the show notes.  The paper is “Authority Server Selection of DNS Caching Resolvers” and was published in ACM SIGCOMM Computer Communication Review (CCR), April 2012.

Play

Root DNSSEC Key Ceremony 27 Attestation


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday, October 27, I attended the Root DNSSEC Key Ceremony 27,
administered by Public Technical Identifiers (PTI), the administrator
of the IANA functions and an affiliate of ICANN, which was held in
PTI's key management facility (KMF) in Culpeper, Virginia, USA.

ICANN and PTI are in the process of rolling the root zone key-signing
key (KSK) and details about that project are available at:

https://www.icann.org/resources/pages/ksk-rollover

I attest that a new key intended to be the next root zone KSK was
generated at that ceremony, and that the following DS record
corresponds to the newly generated key:

. IN DS 20326 8 2 E06D44B80B8F1D39A95COBOD7C65D08458E880409BBC683457104237C7F8EC8D

The key will not be declared operationally ready until it is imported
into the hardware security modules (HSMs) in PTI's second KMF in El
Segundo, CA, at the next root key ceremony planned for February, 2017.
Provided that ceremony is successful and that subsequent root KSK
rollover plans proceed according to schedule, the key attested to
above will become the next root zone KSK and be used to sign the root
zone's key set on October 11, 2017.

I further attest that the ceremony followed the script published at
https://data.iana.org/ksk-ceremony/27/KC27_Script.pdf, with one minor
exception relating to the formatting of USB drives used to transport
signed material out of the ceremony room.

Disclosure: I am employed by ICANN as VP of Research and sometimes act
as a Ceremony Administrator (CA) for root key ceremonies.

Matt Larson
28 October 2017
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlgTpoMACgkQATXaA1CYG0VqFgCeINrlVQDIDAMZO0RtlftiNYMj
5CgAniFE+fdA9MQY/BE3VwG0dEvhHsU/
=sM6f
-----END PGP SIGNATURE-----

Episode 48

In Episode 48, we are pleased to welcome Bert Hubert of PowerDNS fame to the show.  We reach into the mailbag to answer Nic Waller’s question about measuring which names in a zone are actually queried, Jesus Cea asked about proving domain ownership to obtain a Let’s Encrypt certificate (which caused us to do some actual research before recording!), and long-suffering listener Yiorgos Adamopoulos gamely sent in a question about using the block chain for name resolution.  As usual, we indulge in light banter completely unrelated to DNS, this time on outrageous cell phone roaming charges and Dutch pipe organs.

 

Play

Episode 47

In this episode, our 47th, we realize the mailbag is actually fuller than we thought, and work diligently to answer questions from a “long-term” Swedish listener about IPv6 reverse mapping, from Jeremy Laidman about BIND 9.11′s new catalog zones feature, and from (the also likely Swedish) Håkan Lindqvist about the credibility of DNS data, particularly NS records.  We also digress into ruminating over the possible deleterious effects of The Disney Channel on the attitudes of tween daughters, why the first four minutes of the forthcoming “Sully” are likely the highlight of the film, and what we’ve been watching on TV lately.  Don’t miss it!

Play

Episode 46

This episode, number 46, features a guest appearance from Roy Arends of ICANN, whom Matt, Roy’s boss, swears wasn’t forced to participate in our forsaken podcast after midnight Oxford time.  Roy’s worked on Unbound, fpdns, DNSSEC, and Nominet’s Turing product.  We answer questions from Jacob Evans about mismatched SOA records and name server support for IPv6 anycast, and from long-suffering listener Evaggelos Balaskas about Response Policy Zones and why he sees different responses to queries for A records for google.com.  Along the way, Matt announces his new job, and while tracing the origin of Matt’s pet phrase, “There has been no time,” a discussion of the term “shirt-tail relatives” ensues, during which Cricket forgets the word “commutativity.”

Play

Episode 45

We’re back again, scraping the bottom of the mailbag for questions.  Erik Radde helped us out with a question on the interaction of wildcards and the search list, and Lenny Tropiano tweeted a question at Mr. DNS about Dyn’s support for a feature that provides CNAME-like semantics at a zone apex.  Along the way there were detours into the three laws of thermodynamics and, more importantly as the AI revolution grows ever closer, the three laws of robotics.

 

Play

Episode 44

Well, we said we’d try to keep to a monthly schedule, and we arguably just made it!  This episode, number 44, features a special guest:  Andrew Sullivan, Matt’s colleague at Dyn and Chair of the Internet Architecture Board.  Now, if we’d planned ahead and let you know Andrew was going to be on the show, we could have let you know so that you could have submitted lots of thoughtful questions for him to answer, but by now you know not to expect that kind of forethought from us.  Instead, we asked him about stuff we’re interested in, including the IANA transition and ARCING, an IETF effort to identify alternative resolution contexts.  We also answer a question from Sheridan West about some suspicious-looking log messages from his name server and one from Jeff Helman about the right DNS configuration for handling multiple back-end web servers.

Play