On Tue, Jun 1, 2010 at 6:55 AM, Heavy Man <heavyma...@yahoo.com> wrote:
> A few questions about DNSSEC... > > I understand the root zones are currently getting signed. The root zone is currently signed with a DURZ (deliberately unvalidatable root zone) as part of its deployment. See the following site for more information: http://www.root-dnssec.org/ Just for sanity sake, should I be able to DIG +dnssec a.gtld-servers.net and > be able to see a RRSIG record (assume I have a valid dnssec recursive name > server with a valid trust anchor configured). (As a side note, gtld-servers.net is the domain corresponding to the names of servers authoritative for TLD servers (e.g., edu, com, net), not the root zone.) There is a difference between the name of a zone and the names of the servers authoritative for that zone, which are the "targets" of the NS records. For example: $ dig . ns ; <<>> DiG 9.7.0-P1 <<>> . ns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63188 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 484118 IN NS d.root-servers.net. . 484118 IN NS l.root-servers.net. . 484118 IN NS i.root-servers.net. . 484118 IN NS h.root-servers.net. . 484118 IN NS e.root-servers.net. . 484118 IN NS j.root-servers.net. . 484118 IN NS m.root-servers.net. . 484118 IN NS g.root-servers.net. . 484118 IN NS a.root-servers.net. . 484118 IN NS f.root-servers.net. . 484118 IN NS c.root-servers.net. . 484118 IN NS k.root-servers.net. . 484118 IN NS b.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 144120 IN A 198.41.0.4 The zone origin is ".", but the names of the authoritative server are [a-m]. root-servers.net. In DNSSEC, signing is done on a per-zone basis, so the signing of the root-servers.net zone is independent of (and unnecessary for) the signing of the root zone ("."). This being said, if you now query the root servers for DNSSEC RRs pertaining to the root zone, you will get the following: $ dig @a.root-servers.net +dnssec . ns ; <<>> DiG 9.7.0-P1 <<>> @a.root-servers.net +dnssec . ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8463 ;; flags: qr aa rd; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 21 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS a.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN RRSIG NS 8 0 518400 20100607070000 20100531060000 55138 . xJyVQ+6RhZ7OQZFqFBY+z6xTeLWk7GpGljhp2zmkXVkK1bB3x0DZsdwA MF7+pyXa3hkUvbG4+MBErWmhiJveV/DyU00kZXrWc8oma82uhLvgBjwf /q7JArynxkbhrsbFoHT0IBQe9mQBhfJAta9myUEc01EGDVWwvpATMTTM Ktc= which includes the RRSIG covering the NS RRset for the root zone. Regards, Casey
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users