[afnog] Signing root zone
alain aina
aalain at trstech.net
Thu Nov 6 16:30:01 UTC 2008
On Nov 6, 2008, at 1:33 PM, Stephane Bortzmeyer wrote:
> On Thu, Nov 06, 2008 at 09:40:41AM +0000,
> alain aina <aalain at trstech.net> wrote
> a message of 18 lines which said:
>
>> Just wondering if people here are informed about what is going about
>> DNSSEC deployment
>
> BTW, trstech.net is *not* resolvable with a DNSSEC resolver using
> DLV. There is a DLV record at dlv.isc.org but the zone is not signed
> (the DNSSEC equivalent of a lame delegation).
>
> As a result, my BIND resolver yielded SERVFAIL.
As you noticed and the dig below confirmed trstech.net was one of
first users of ISC DLV. It does not scale and work exactly how we
expect it and we abandon it for now.
; <<>> DiG 9.4.2-P2 <<>> @ns-ext.isc.org trstech.net.dlv.isc.org dlv
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46271
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7
;; QUESTION SECTION:
;trstech.net.dlv.isc.org. IN DLV
;; ANSWER SECTION:
trstech.net.dlv.isc.org. 3600 IN DLV 36472 5 1
0B4B9F5A6CA4B0C800D2B432F1D206F176E8E00F
trstech.net.dlv.isc.org. 3600 IN DLV 36472 5 2
FB0DA57E6C06EA0CF636C47016DCE1DAC81142A3FCA389D2CBA829FC 2E0EABE0
[.............]
;; Query time: 120 msec
;; SERVER: 204.152.184.64#53(204.152.184.64)
;; WHEN: Thu Nov 6 16:14:51 2008
;; MSG SIZE rcvd: 386
>
>
> (Thanks to Gilles Massen of the ".lu" registry for the technical
> analysis.)
>
> This emphasizes several points:
>
> * DNSSEC requires much more professionalism,
>
> * DNSSEC allows you to shoot yourself in the foot quite easily.
>
Were people expecting DNSSEC to be a simple and easy solution?
--alain
More information about the afnog
mailing list