DNSSEC Status...
Casey Deccio
casey at deccio.net
Tue Jun 1 15:13:50 UTC 2010
On Tue, Jun 1, 2010 at 6:55 AM, Heavy Man <heavyman66 at yahoo.com> wrote:
> A few questions about DNSSEC...
>
> I understand the root zones are currently getting signed.
The root zone is currently signed with a DURZ (deliberately unvalidatable
root zone) as part of its deployment. See the following site for more
information: http://www.root-dnssec.org/
Just for sanity sake, should I be able to DIG +dnssec a.gtld-servers.net and
> be able to see a RRSIG record (assume I have a valid dnssec recursive name
> server with a valid trust anchor configured).
(As a side note, gtld-servers.net is the domain corresponding to the names
of servers authoritative for TLD servers (e.g., edu, com, net), not the root
zone.)
There is a difference between the name of a zone and the names of the
servers authoritative for that zone, which are the "targets" of the NS
records. For example:
$ dig . ns
; <<>> DiG 9.7.0-P1 <<>> . ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63188
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 484118 IN NS d.root-servers.net.
. 484118 IN NS l.root-servers.net.
. 484118 IN NS i.root-servers.net.
. 484118 IN NS h.root-servers.net.
. 484118 IN NS e.root-servers.net.
. 484118 IN NS j.root-servers.net.
. 484118 IN NS m.root-servers.net.
. 484118 IN NS g.root-servers.net.
. 484118 IN NS a.root-servers.net.
. 484118 IN NS f.root-servers.net.
. 484118 IN NS c.root-servers.net.
. 484118 IN NS k.root-servers.net.
. 484118 IN NS b.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 144120 IN A 198.41.0.4
The zone origin is ".", but the names of the authoritative server are [a-m].
root-servers.net. In DNSSEC, signing is done on a per-zone basis, so the
signing of the root-servers.net zone is independent of (and unnecessary for)
the signing of the root zone (".").
This being said, if you now query the root servers for DNSSEC RRs pertaining
to the root zone, you will get the following:
$ dig @a.root-servers.net +dnssec . ns
; <<>> DiG 9.7.0-P1 <<>> @a.root-servers.net +dnssec . ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8463
;; flags: qr aa rd; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 21
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 20100607070000
20100531060000 55138 .
xJyVQ+6RhZ7OQZFqFBY+z6xTeLWk7GpGljhp2zmkXVkK1bB3x0DZsdwA
MF7+pyXa3hkUvbG4+MBErWmhiJveV/DyU00kZXrWc8oma82uhLvgBjwf
/q7JArynxkbhrsbFoHT0IBQe9mQBhfJAta9myUEc01EGDVWwvpATMTTM Ktc=
which includes the RRSIG covering the NS RRset for the root zone.
Regards,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100601/dcb18589/attachment.html>
More information about the bind-users
mailing list