Root Zone DNSSEC Deployment
Technical Status Update 2010-05-05
This is the sixth of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS.
** The final transition to a signed root zone took place today
** on J-Root, between 1700--1900 UTC.
Hi,
I was building a test domain for trying out the dnssec. However as mentioned
on various websites "ad" appears in the flags, but i can't see it. The
domain i am using is not real and i am testing from the same machine,
Fedora-12. Any help?
Thanks
options {
dnssec-enable yes;
dnssec-validation yes;
};
[root@ns1 named-data]# dig +dnssec @localhost www
; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 <<>> +dnssec @localhost www
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16601
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www. IN A
;; AUTHORITY SECTION:
. 5221 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2010051600 1800 900 604800 86400
. 5221 IN RRSIG SOA 8 0 86400 20100523070000
20100516060000 55138 .
KTwve6TiQ6ShXCfEcbYusFWOCsx+IwCUumBr4GnwnNq1eqs7tqQaHqkJ
T/ewcvjXvRGOmHjhGRgqkdESse+/fa+tz1sSdvMsTGGI2Ba9/Fbb43Ty
eqsG5cFxbqfXOpwlA4ab9IR2Vkod6genONeYO6rrm2edNwQrf56wrtJr CNM=
. 5221 IN RRSIG NSEC 8 0 86400
20100523070000 20100516060000 55138 .
uIgAQvJUyLjAPwb7zB8wcJ4wk++21g+iF/bJGlpvz4iUJOMwkPgqA2s/
A8W0MhxBjo7918xg6yJeqYwXB+rGG14F7UZfOBVlXIqno5/kXzi4Carh
/8sulBMyHbFmVlOht5SLU230ROaI6+4o0B6IRyiP5Vzgjt00zyFu26Rg Yb8=
. 5221 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY
ws. 5221 IN RRSIG NSEC 8 1 86400
20100523070000 20100516060000 55138 .
KsvM0PTDqWt0yoJNZ4k1UGTw0UtJZxsZa17bDHAyY7w1eocZlCqGJNd8
2/WDeJMfCkM+MakJLblnixlI6QcNYV6ctrKZkNuA/iX2rwapouVYoC7G
HxvBLnb5TFWkCML+fhgOWza8RmRnCTY593uBgsPtcgEfTZAzYB+QFCEP 6oI=
ws. 5221 IN NSEC æµè¯. NS RRSIG NSEC
;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun May 16 11:02:43 2010
;; MSG SIZE rcvd: 641
You probably need a trust anchor as well.
See http://ftp.isc.org/isc/pubs/tn/isc-tn-2006-1.html.
Rubens
I am having this problem now:
# dnssec-signzone -N INCREMENT mydomain.org
Verifying the zone using the following algorithms: RSASHA1.
Missing RSASHA1 signature for . NSEC
The zone is not fully signed for the following algorithms: RSASHA1.
dnssec-signzone: fatal: DNSSEC completeness test failed.
What could be wrong ....
I have followed these steps:
OS = centos 5.4 with bind-9.6.2-3.P1
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org
dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org
cat Kmydomain.org.+005+*.key >> mydomain.org
dnssec-signzone -N INCREMENT mydomain.org
Thanks
-dani
Missing trust anchor?
I have these in named.conf
dnssec-enable yes;
dnssec-validation yes;
// dnssec-lookaside "." trust-anchor "DLV.ISC.ORG";
With the trust-anchor uncommented, as soon as i enable and reload bind, dig
gives timeout, while dig has no issues with first two commands enabled.
-dani
Is there any specific dnssec mailing list, which might be more helpful.
Thanks
-dani
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
(Unless I've fat-fingered it and it's elsewhere?)
You should probably take these questions to the bind-users list, where there are many people who will help you. See <https://lists.isc.org/mailman/listinfo>.
Configuring DLV is quite possibly not what you want in this instance.
Joe
Is there any specific dnssec mailing list, which might be more helpful.
DNSSEC Deployment <dnssec-deployment@dnssec-deployment.org>
http://www.dnssec-deployment.org/
steve