Hey SWINOGgers,
I noticed that DNSSEC was somehow auto-disabled at registry level for some .ch domains I am responsible for.
For these domains, no DS records are published anymore in the .ch zone, dnsviz shows a broken chain of trust.
However, registrar data still shows that DNSSEC is enabled, but the registry (SWITCH) says it is not...
Is this a known problem?
Seems not all DNSSEC protected .ch domains are affected, which leads me to the suspicion that it might have
to do with the algorithm being used.
Did SWITCH turn off older algorithms, e.g. algo 7 (RSASHA1-NSEC3-SHA1)? Did I miss an announcement?
Random example, e.g. gkb.ch (notably a bank...)
> dig +short @dns1.inventx.ch gkb.ch dnskey
> 256 3 7 AwEAAdYydDZyd5M3UGS5b4Yv6qlIO5eOSwskJ/DQjiRO0as59ZG6hMDJ VseqslJMTwghdiCrd/sicWvDOszK6Cuqye0+ZEm9tfG6gxgWWmzpSmXQ KDHRG1iV8UF0KSOciFAPp4qRe083KPXu2ChXkTUSAa/iRCcZdFJK2M6l c7Gjjj55
> 257 3 7 AwEAAbQv5Whc+cna1IbtESB+Pwx+8eP5jfbjhuqiFuU/18qUckR9NxT7 KUCT8GDlRTsGYmuKxcMITvH510CgGOA/6TORaB4iIXRnACmfiiku25/B NHmNJd58ymZ/ED17smVJ4ou77/rhxW+/0Q1iVIAOcY8EblWq3EabepYz E6CY9Vh/RTh2mvSl80h8nZyFotsEwN0LIlc/Pi0qGmy7iTOBqtVsbFVm gssn/2c7IMCA8N2aaP1it8Qi+3DDGDh3N8HSEIVk+nrgQtsqQaLOFPGQ Q0ezahQO6oVGKG4XAHw+2XaZQ3UT0sTcFj3ZVKCcGE4Ddoa3J/gqLQh7 aA44cVIQx+s=
>
> dig +short @a.nic.ch gkb.ch ds
>
> -> no DS record
Working example with algorithm 13 (ECDSA Curve P-256 with SHA-256):
> dig +short @ns2.switch.ch switch.ch dnskey
> 257 3 13 keJOWxnKOCymNa0sPpwp/ioeyvgrXjY9hu8KxWdaxlMFukxquKVLdt2J 5KxGOpmIZZbOXRALfG78FnDsE/k8EQ==
> 256 3 13 YOf+TLHGeDBL0q6DSpE4vE2ub8RUvniew7xYkZJHocU6je7Ww/MfUeHf B1LEDpFNFloYHFBvWD92gu5MT2ZJ1A==
> 256 3 13 twHlL7CfhxPadzuRi3wRxEDs+3i/oe9W3heRKiP8CALwpexBZYCjMJ2w Z403h9dJ/iA7CzCTSmvePLGdJ4cIzQ==
>
> dig +short @a.nic.ch switch.ch ds
> 32265 13 2 8A865736961D246F99D6111BCA060E69908380FD5545D799F21E4652 DA60A17C
Could anybody shed some light on this?
Thx & Gruass, Franco
Hey SWINOGgers,
I noticed that DNSSEC was somehow auto-disabled at registry level for some .ch domains I am responsible for.
For these domains, no DS records are published anymore in the .ch zone, dnsviz shows a broken chain of trust.
However, registrar data still shows that DNSSEC is enabled, but the registry (SWITCH) says it is not...
Is this a known problem?
Seems not all DNSSEC protected .ch domains are affected, which leads me to the suspicion that it might have
to do with the algorithm being used.
Did SWITCH turn off older algorithms, e.g. algo 7 (RSASHA1-NSEC3-SHA1)? Did I miss an announcement?
Random example, e.g. gkb.ch (notably a bank...)
> dig +short @dns1.inventx.ch gkb.ch dnskey
> 256 3 7 AwEAAdYydDZyd5M3UGS5b4Yv6qlIO5eOSwskJ/DQjiRO0as59ZG6hMDJ VseqslJMTwghdiCrd/sicWvDOszK6Cuqye0+ZEm9tfG6gxgWWmzpSmXQ KDHRG1iV8UF0KSOciFAPp4qRe083KPXu2ChXkTUSAa/iRCcZdFJK2M6l c7Gjjj55
> 257 3 7 AwEAAbQv5Whc+cna1IbtESB+Pwx+8eP5jfbjhuqiFuU/18qUckR9NxT7 KUCT8GDlRTsGYmuKxcMITvH510CgGOA/6TORaB4iIXRnACmfiiku25/B NHmNJd58ymZ/ED17smVJ4ou77/rhxW+/0Q1iVIAOcY8EblWq3EabepYz E6CY9Vh/RTh2mvSl80h8nZyFotsEwN0LIlc/Pi0qGmy7iTOBqtVsbFVm gssn/2c7IMCA8N2aaP1it8Qi+3DDGDh3N8HSEIVk+nrgQtsqQaLOFPGQ Q0ezahQO6oVGKG4XAHw+2XaZQ3UT0sTcFj3ZVKCcGE4Ddoa3J/gqLQh7 aA44cVIQx+s=
>
> dig +short @a.nic.ch gkb.ch ds
>
> -> no DS record
Working example with algorithm 13 (ECDSA Curve P-256 with SHA-256):
> dig +short @ns2.switch.ch switch.ch dnskey
> 257 3 13 keJOWxnKOCymNa0sPpwp/ioeyvgrXjY9hu8KxWdaxlMFukxquKVLdt2J 5KxGOpmIZZbOXRALfG78FnDsE/k8EQ==
> 256 3 13 YOf+TLHGeDBL0q6DSpE4vE2ub8RUvniew7xYkZJHocU6je7Ww/MfUeHf B1LEDpFNFloYHFBvWD92gu5MT2ZJ1A==
> 256 3 13 twHlL7CfhxPadzuRi3wRxEDs+3i/oe9W3heRKiP8CALwpexBZYCjMJ2w Z403h9dJ/iA7CzCTSmvePLGdJ4cIzQ==
>
> dig +short @a.nic.ch switch.ch ds
> 32265 13 2 8A865736961D246F99D6111BCA060E69908380FD5545D799F21E4652 DA60A17C
Could anybody shed some light on this?
Thx & Gruass, Franco
Hi Matthias,
at the University of Bern, we are replacing our current Enterasys/Extreme/Brocade/Ruckus gear by Extreme Network models. For core/distribution/ToR, we opted for the 7400 and 5520 series with VOSS (Fabric engine) and so far, we are quite happy with the choice. The 5520-24x could fit your requirements - 10G copper is feasible with copper plugins. (max. 50% of copper plugins supported due to heat discipation) BTW, we use a mix of „original“ and Fexoptix plugins.
Hope this helps - otherwise feel free to give me a call.
Cheers,
Philipp
> Am 27.04.2023 um 12:00 schrieb swinog-request(a)lists.swinog.ch:
>
> Send swinog mailing list submissions to
> swinog(a)lists.swinog.ch
>
> To subscribe or unsubscribe via email, send a message with subject or
> body 'help' to
> swinog-request(a)lists.swinog.ch
>
> You can reach the person managing the list at
> swinog-owner(a)lists.swinog.ch
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of swinog digest..."
>
> Today's Topics:
>
> 1. Datacenter switches (Matthias Hertzog)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 27 Apr 2023 04:04:06 +0200
> From: Matthias Hertzog <matthias(a)hertzog.ch>
> Subject: [swinog] Datacenter switches
> To: swinog(a)swinog.ch
> Message-ID: <9B113594-1951-46A4-A6D1-B0ED90C92131(a)hertzog.ch>
> Content-Type: text/plain; charset=utf-8
>
> Dear colleagues
>
> As some of you already figured, i‘m about to dive into the ISP scene again. „What a surprise“ ;-)
>
> I‘m currently evaluating datacenter switches. Current need is at least 12 10gig SFP ports and some 10gig copper ports.
>
> What brands and models are you guys using these days? I‘ve used cisco and Foundry/Brocade in the past, but i‘m open for recommendations.
>
> Thanks & have a nice day,
> Matthias
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> swinog mailing list -- swinog(a)lists.swinog.ch
> To unsubscribe send an email to swinog-leave(a)lists.swinog.ch
>
>
> ------------------------------
>
> End of swinog Digest, Vol 218, Issue 5
> **************************************
Dear colleagues
As some of you already figured, i‘m about to dive into the ISP scene again. „What a surprise“ ;-)
I‘m currently evaluating datacenter switches. Current need is at least 12 10gig SFP ports and some 10gig copper ports.
What brands and models are you guys using these days? I‘ve used cisco and Foundry/Brocade in the past, but i‘m open for recommendations.
Thanks & have a nice day,
Matthias
Hi there!
I’m looking for a /24 to buy. I have my own LIR and know how the transfer works. If you have something for sale, please let me know before i dive into the RIPE listing service and grow more grey hair due to non-responding people in there.
Immediate and hassle-free payment guaranteed.
Thanks & best wishes,
Matthias
Dear all,
this is the Call for Presentations for the European Peering Forum 2023.
AMS-IX, DE-CIX, LINX, NETNOD and guest IXP NIX.CZ, are happy to host the
European Peering Forum (EPF) 2023 from Sunday the 10th to Wednesday 13th
September 2023 in Prague, Czech Republic.
The event will welcome peering managers and coordinators from networks
connected to the host and guest Internet exchanges.
Besides some interesting topical agenda, the three-day event
accommodates room for attendees to meet on a one-to-one basis to discuss
bilateral peering business opportunities.
The programme committee will be looking for presentations and related to
peering and technical topics of interconnection. Your presentation
should address:
* Interconnection Automation
* Regional Peering
* Interconnection / Peering Internet Governance and Regulatory Topics
* Economic and Product Trends
* Peering / Interconnection strategies
* Interesting findings about Peering / Interconnection
* 400GE and beyond
* Any other hot topic related to Interconnection / Peering
Submissions
===========
Presentations must be of a non-commercial nature. Product or marketing
heavy talks are strongly discouraged.
Submissions of presentations should be made to the programme committee
<epf-pc(a)peering-forum.eu>. Please include:
* Author's name and e-mail address
* Presentation title
* Abstract
* Slides (if available)
* Time requested (max. 30 minutes incl. Q&A)
Deadlines
=========
Please send in your presentation asap. We decide on a first come first
serve basis. The latest date for submission is July 30th, 2023.
More information about the event and other activities around EPF16 may
be found at
* https://peering-forum.eu/2023/
* https://www.facebook.com/groups/1486607564933665/
On behalf of EPF,
Best regards,
AMS-IX, DE-CIX, LINX and NETNOD
--
Keep calm, keep distance, keep connected!
Arnold Nipper
email: arnold(a)nipper.de
mobile: +49 172 2650958
Hello,
We have a complaint from a customer, with unreachable website (stepcom.ch hosted on cloudflare).
No DNS answer for domain for multiple DNS server of Bluewin (195.186.4.107 - 109 and 195.186.1.110 - 111 )
All working fine with an open DNS server. (Quad, Google etc).
Could someone at Bluewin could check that ?
Thanks.
Rémy
Hi all
Does anyone have a contact to the IT or more precisely Email /
Marketing Department of the UN Geneva Forum aka Objectif Sciences
International?
https://www.osi-ngo.org/
They most probably have acquired an email list containing SWINOG
Spamtraps and using this to advertised their science activities, getting
shared Office365 IP addresses, used by the UN and other Swiss Office365
customers, blacklisted.
I was in contact with the OSI Geneva Forum CEO, but he was not
successful in finding anyone in charge.
--
Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________