dnssec-validation and root hints. why need to validate entries in root hints?

ivan jr sy ivan_jr at yahoo.com
Sun May 24 07:08:17 UTC 2009 

Hi!

I have a DNSSEC isolated testlab and we simulated signining of a ccTLD. I and my friends already finished setting up the following:

1. client (resolvers)
2. DNS cache server (having a customized ROOT HINTS)
3. ROOT server (without root hints and with "." zone)
4. primary DNS server for "tld", "net.tld" and "testbed.net.tld" zones
5. secondary DNS server for "tld", "net.tld" and "testbed.net.tld" zones
6. primary Dns server for "domain.tld"
7. secondary Dns server for "domain.tld"

To make this posting short, I'll not narrate everything but rather inform you that everything was set-up correctly and that client can query the RRs of domain.tld perfectly.

However, when we signed the "tld" zone and provided the trusted-key of "tld" for DNS cache server and activated dnssec-enable yes; (which in turn enabled dnssec-validation), The DNS cache server resulted to not being able to find the hostname of "ns1test.testbed.net.tld"

Here's the root hints:

.                               3600000         NS      ns1test.testbed.net.tld.
ns1test.testbed.net.tld.       3600000         A       192.168.1.212


Tacking the problem down, I have the "tld" zone signed, "net.tld" signed and DS RR correctly defined in "tld", but the "testbed.net.tld" is NOT signed... so we signed it and added the DS in 'net.tld'... and it worked! (In theory I can also have the root hints to have a different FQDN and it would still work)

Note: the root zone "." is not signed.


Direct to the question:

Q: I understand that BIND needs to validate *everything* once dnssec-validation is turned ON and when a trusted-key is set-up. But why does it need to validate the entries of its own ROOT HINTS? Is'nt it trust-worthy enough since the mapping is already on the file? should'nt be an exemption is good in this caes? also, the zone to be queried is the "." (root zone) so why need to validate the "tld"?

I also have a production DNS cache server that have trusted-keys for "se", "gov", "dlv.isc.org", etc... and dnssec-validation enabled, (I have'nt tried this yet) but in theory if will add a (fictitious) trusted-key for "net", will it totally break my DNS cache?
A.ROOT-SERVERS.NET.



Thanks!

More information about the bind-users mailing list