[afnog] Signing root zone
aalain at trstech.net
Thu Nov 6 16:30:01 UTC 2008
On Nov 6, 2008, at 1:33 PM, Stephane Bortzmeyer wrote:
> On Thu, Nov 06, 2008 at 09:40:41AM +0000,
> alain aina <aalain at trstech.net> wrote
> a message of 18 lines which said:
>> Just wondering if people here are informed about what is going about
>> DNSSEC deployment
> BTW, trstech.net is *not* resolvable with a DNSSEC resolver using
> DLV. There is a DLV record at dlv.isc.org but the zone is not signed
> (the DNSSEC equivalent of a lame delegation).
> As a result, my BIND resolver yielded SERVFAIL.
As you noticed and the dig below confirmed trstech.net was one of
first users of ISC DLV. It does not scale and work exactly how we
expect it and we abandon it for now.
; <<>> DiG 9.4.2-P2 <<>> @ns-ext.isc.org trstech.net.dlv.isc.org dlv
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46271
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7
;; QUESTION SECTION:
;trstech.net.dlv.isc.org. IN DLV
;; ANSWER SECTION:
trstech.net.dlv.isc.org. 3600 IN DLV 36472 5 1
trstech.net.dlv.isc.org. 3600 IN DLV 36472 5 2
;; Query time: 120 msec
;; SERVER: 184.108.40.206#53(220.127.116.11)
;; WHEN: Thu Nov 6 16:14:51 2008
;; MSG SIZE rcvd: 386
> (Thanks to Gilles Massen of the ".lu" registry for the technical
> This emphasizes several points:
> * DNSSEC requires much more professionalism,
> * DNSSEC allows you to shoot yourself in the foot quite easily.
Were people expecting DNSSEC to be a simple and easy solution?
More information about the afnog