Re: DNSSEC authentication and ad parameter
On 11/01/2012 11:13, Gaurav kansal wrote: Hi Gaurav, Now, I understand why I was not getting my “AD” flag set in query response. I tried from google dns (8.8.8.8) also but didn’t get “AD” bit set. This may be because 8.8.8.8 might not be configured for DLV validation. Is there any open dns available from which I can check my domain for “AD” flag set? DNS OARC runs a pair of validating servers, open to the public. Here's a page with more information about then: https://www.dns-oarc.net/oarc/services/odvr Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC authentication and ad parameter
I tried from google dns (8.8.8.8) also but didnt get AD bit set. This may be because 8.8.8.8 might not be configured for DLV validation. Google's DNS servers don't do proper DNSSEC validation. Is there any open dns available from which I can check my domain for AD flag set? Not to my knowledge, but I've just tried for you, and it looks fine: $ dig +multiline +dnssec test.nknsec.in ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20577 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ^^ ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;test.nknsec.in.IN A ;; ANSWER SECTION: test.nknsec.in. 360 IN A 10.1.27.25 test.nknsec.in. 360 IN RRSIG A 5 3 360 20120204072952 ( 20120105072952 16755 test.nknsec.in. DcLPb3hVDqal64UQe3Vk4NjbMRwSSWHNy4r/Bk42M2WQ LZYBt9p7NpIT6g1AVdP2vyFs2q4CbA/QLUMeVWptvHBN ZcA8/M4DpW5GpsOmC3SeZe01lCUzbANN/+NNg/PwHsPh LUOEatmjZxfrU3lGpxXFF527ohzxXatZdX48lsM= ) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC authentication and ad parameter
DNS OARC runs a pair of validating servers, open to the public. It appears their BIND server has DLV anchor configured, but their Unbound instance doesn't. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC authentication and ad parameter
Ya. It also appears the same to me. -Original Message- From: Jan-Piet Mens [mailto:jpm...@gmail.com] On Behalf Of Jan-Piet Mens Sent: Wednesday, January 11, 2012 5:00 PM To: bind-users@lists.isc.org Cc: Gaurav kansal Subject: Re: DNSSEC authentication and ad parameter DNS OARC runs a pair of validating servers, open to the public. It appears their BIND server has DLV anchor configured, but their Unbound instance doesn't. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC authentication and ad parameter
Thanks Anand. I have one more question. Is there any option in bind which facilitates me to answer my clients for that zone only which has DNSSEC enable??? For all other queries, it should not answer. Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI -Original Message- From: Anand Buddhdev [mailto:ana...@ripe.net] Sent: Wednesday, January 11, 2012 4:37 PM To: Gaurav kansal Cc: bind-users@lists.isc.org Subject: Re: DNSSEC authentication and ad parameter On 11/01/2012 11:13, Gaurav kansal wrote: Hi Gaurav, Now, I understand why I was not getting my AD flag set in query response. I tried from google dns (8.8.8.8) also but didn't get AD bit set. This may be because 8.8.8.8 might not be configured for DLV validation. Is there any open dns available from which I can check my domain for AD flag set? DNS OARC runs a pair of validating servers, open to the public. Here's a page with more information about then: https://www.dns-oarc.net/oarc/services/odvr Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC authentication and ad parameter
It is working. -- $ dig test.nknsec.in +dnssec ; DiG 9.8.1 test.nknsec.in +dnssec ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4578 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;test.nknsec.in.IN A ;; ANSWER SECTION: test.nknsec.in. 352 IN A 10.1.27.25 test.nknsec.in. 352 IN RRSIG A 5 3 360 20120204072952 20120105072952 16755 test.nknsec.in. DcLPb3hVDqal64UQe3Vk4NjbMRwSSWHNy4r/Bk42M2WQLZYBt9p7NpIT 6g1AVdP2vyFs2q4CbA/QLUMeVWptvHBNZcA8/M4DpW5GpsOmC3SeZe01 lCUzbANN/+NNg/PwHsPhLUOEatmjZxfrU3lGpxXFF527ohzxXatZdX48 lsM= ;; AUTHORITY SECTION: test.nknsec.in. 349 IN NS ns1.nknsec.in. test.nknsec.in. 349 IN RRSIG NS 5 3 360 20120204072952 20120105072952 16755 test.nknsec.in. ZOVyGZh6gPB7zT9ZniOy/+NQ +fwP00b4KagDQ1F9kCwiNjGrSxjmGQQg VD7R8LM6R4di1BBg8ayWtLQi7dVQdhmB942zy4BH/IYSMkWOf+WtILlx YAD64F1NoJ4GXKRH7t01fYQRMoOtr2Teuok0KdUctAQNYBOjw280RwkY h9Y= ;; Query time: 3 msec ;; SERVER: 160.124.48.16#53(160.124.48.16) ;; WHEN: Wed Jan 11 08:46:34 2012 ;; MSG SIZE rcvd: 425 - You need a recursive resolver set up to do DNSSEC, including 'lookaside' for the DLV checking. You CAN NOT just use one of the nameservers that the domain uses. You need to ask that resolver. The resolver handling the zone (ns1.nknsec.in) will not set the 'ad' bit (assumption being there is no special configurations like views or multiple resolvers - etc) when directly asked. I wrote a guide on how to do this - http://dnssec.co.za/ - some time ago. It should be still valid. On the Linux Gentoo distribution, BIND is almost installed like this by default - except for the 'dlv' portion. I expect other distributions are similar? I'll ignore issues like there is only one NS record for this and the parent (nknsec.in) - .IN allows this You should also be able to make the zone at the 'nknsec.in' level secure from that point onwards as well. On Wed, 2012-01-11 at 10:45 +0530, Gaurav kansal wrote: Dear All, I had purchased a new domain especially for DNSSEC testing. But when I ask my registry to insert my DS keys in .in zone file, I got the answer that .in is still not ready for this although .in is signed. I tried to authenticate my domain through ISC dlv. I upload my DS key there and it is showing a “GOOD” status for my domain but still I am not getting “ad” parameter in my dig answer. Anyone please explain what I have to do next so that I can give authenticated answer for test.nknsec.in domain. Zone List (add a zone) Zone Name Status DNSKEYs Zone Actions test.nknsec.in Good 1 (add) (details) (delete) Copyright © 2010 by Internet Systems Consortium. Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC authentication and ad parameter
Hello, The authoritative NS for nknsec.in. *does* give answers with corresponding RRSIGs ! $ dig @ns1.nknsec.in. test.nknsec.in. +dnssec +short 10.1.27.25 A 5 3 360 20120204072952 20120105072952 16755 test.nknsec.in. DcLPb3hVDqal64UQe3Vk4NjbMRwSSWHNy4r/Bk42M2WQLZYBt9p7NpIT 6g1AVdP2vyFs2q4CbA/QLUMeVWptvHBNZcA8/M4DpW5GpsOmC3SeZe01 lCUzbANN/+NNg/PwHsPhLUOEatmjZxfrU3lGpxXFF527ohzxXatZdX48 lsM= à there is an A record and a RRSIG over that A record I hope you do not expect that (authoritative) NS to provide answers with AD-bit set ? Because it will not ! Name servers in the authoritative role for a domain will never set the AD-bit; they will provide DNSSEC data (NSEC(3), RRSIG, DNSKEY) allowing validating caching and forwarding name servers to perform validation. Those validating name servers will set the AD-bit to indicate they performed verification and found everything OK. Since, apparently, in .in you cannot get the DS information of your domain published yet, DLV is the only way to somehow establish a chain-of-trust. That requires that validating clients must also be configured for DLV. And my feeling is, with the growing number of top-level-domains getting ready for DNSSEC, there will be less and less demand for DLV (didnt I see a message stating end-of-life ?). Hope this is somehow helpful if only to state that you should not expect AD-bit set from name servers in the authoritative role. Kind regards, Marc Lampo Security Officer EURid (for .eu) From: Gaurav kansal [mailto:gaurav.kan...@nic.in] Sent: 11 January 2012 06:16 AM To: bind-users@lists.isc.org Subject: DNSSEC authentication and ad parameter Dear All, I had purchased a new domain especially for DNSSEC testing. But when I ask my registry to insert my DS keys in .in zone file, I got the answer that .in is still not ready for this although .in is signed. I tried to authenticate my domain through ISC dlv. I upload my DS key there and it is showing a GOOD status for my domain but still I am not getting ad parameter in my dig answer. Anyone please explain what I have to do next so that I can give authenticated answer for test.nknsec.in domain. Zone List https://dlv.isc.org/users/1632/zones/new (add a zone) Zone Name Status DNSKEYs Zone Actions test.nknsec.in Good 1 https://dlv.isc.org/zones/7129/dnskeys/new (add) https://dlv.isc.org/zones/7129 (details) https://dlv.isc.org/zones/7129 (delete) Copyright © 2010 by Internet Systems Consortium. Please don't print this e-mail until unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users