DNSSEC Status...
Heavy Man
heavyman66 at yahoo.com
Tue Jun 1 13:55:14 UTC 2010
A few questions about DNSSEC...
I understand the root zones are currently getting signed. Just for sanity sake, should I be able to DIG +dnssec a.gtld-servers.net and be able to see a RRSIG record (assume I have a valid dnssec recursive name server with a valid trust anchor configured). Check out the following...
[root at int-dns ~]# dig +dnssec a.gtld-servers.net
; <<>> DiG 9.6.1-P1 <<>> +dnssec a.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54144
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;a.gtld-servers.net. IN A
;; ANSWER SECTION:
a.gtld-servers.net. 171425 IN A 192.5.6.30
;; AUTHORITY SECTION:
gtld-servers.net. 171424 IN NS d2.nstld.com.
gtld-servers.net. 171424 IN NS f2.nstld.com.
gtld-servers.net. 171424 IN NS a2.nstld.com.
gtld-servers.net. 171424 IN NS g2.nstld.com.
gtld-servers.net. 171424 IN NS l2.nstld.com.
gtld-servers.net. 171424 IN NS e2.nstld.com.
gtld-servers.net. 171424 IN NS c2.nstld.com.
gtld-servers.net. 171424 IN NS h2.nstld.com.
;; Query time: 130 msec
;; SERVER: 10.10.10.1#53(10.10.10.1)
;; WHEN: Tue Jun 1 09:46:13 2010
;; MSG SIZE rcvd: 208
Also, referense the following URL..
https://ns.iana.org/dnssec/root.zone.signed
I assume this data is correct. Is there a security risk publishing this data? I understand DNS is public information but why wouldn't the root be signed using nsec3 versus nsec?
Thanks.
More information about the bind-users
mailing list