[afnog] first signed root zone

ALAIN AINA aalain at trstech.net
Fri Jul 16 08:52:07 UTC 2010


On Jul 16, 2010, at 8:01 AM, Walubengo J wrote:

> Alain,
> 
> nice to know. jst a quick qtn.  Of what value (security-wise) would be a signed root server in relation to the many unsigned anycast (root) servers accross the globe? 
> 
> In other words, if the anycast server in Kenya is unsigned and it is handling my dns requests, then i dont get to benefit from the remote signed root server (right?)


Can you provide  from Nairobi :

dig @f.root-servers.net  .  soa +dnssec 
dig @j.root-servers.net .  soa +dnssec

and 

dig +norec @F.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT
dig +norec @J.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT

thanks


--alain
> 
> walu.
> 
> --- On Fri, 7/16/10, ALAIN AINA <aalain at trstech.net> wrote:
> 
> From: ALAIN AINA <aalain at trstech.net>
> Subject: [afnog] first signed root zone
> To: afnog at afnog.org
> Date: Friday, July 16, 2010, 8:48 AM
> 
> Hi,
> 
> First signed root zone published. serial number is 2010071501.
> 
> Congratulations for people who make this happen.
> 
> Now let's see if it breaks anything  and how the TLD DS records will flow in the root zone.
> 
> Do you remember  our comment to NTIA enquiring about signing root zone ?
> 
> http://www.ntia.doc.gov/DNS/comments/comment020.pdf
> 
> Cheers
> 
> --alain
> 
> 
> 
> 
> 
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @f.root-servers.net . any +dnssec
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33797
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 22
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;.                IN    ANY
> 
> ;; ANSWER SECTION:
> .            86400    IN    SOA    a.root-servers.net. nstld.verisign-grs.com. 2010071501 1800 900 604800 86400
> .            86400    IN    RRSIG    NSEC 8 0 86400 20100722000000 20100714230000 41248 . hRFnAY9bkRYKSVlnz8E1mG9QqRdoiK1UoMdPBO/mowHzJINUcFPYPXNS Mt74pesK7B0FAu4jEvzG+rXgD0D0e+t9RQXQLVYTMHIdA2qN6x+ujFV/ atbuVs+R8TAMUs1YO8fvFxWC/Be/eI63fzQXi7vy/kYOvujQF74jyjA8 Es4=
> .            86400    IN    NSEC    ac. NS SOA RRSIG NSEC DNSKEY
> .            86400    IN    RRSIG    DNSKEY 8 0 86400 20100725235959 20100711000000 19036 . I4cENgcWP+mN7eoX8KqPhvOMcGB0MMOB6ooTbEKHPR9gk6sAcJvq04tC ncwBNiMY3JxzHajsLmMermTL0sVmXj8j6Ba3eTX+t4CsdnUBFfk8zDyb lIIlYwWKZ/x2aXmOjKIKMIC9w8Wnt8awoo45MWzlAT2wGU7gcCAKxJ+O FG/ev8eUXpNxpzRIQvuC7ZGOlELJrrTQCgubyMWOjGaY0MPzrei0Uwe9 2autHPcISBKghnp80zfLmkueSO8qmkbwHn6Jg5vFQ7mG/BKJ5mDXCX5k IjfBQPPe+I2FsGnl+2r9yAmT1n7xLzktKRwKpCwE265EUhDMq7e0P7gF khgEPA==
> .            86400    IN    DNSKEY    257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
> .            86400    IN    DNSKEY    256 3 8 AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467 QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQN DNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel 8Icy19hR
> .            518400    IN    RRSIG    NS 8 0 518400 20100722000000 20100714230000 41248 . ohs6B6xof3LrglEMni5/gz9NY5M8MWx0qNVpzo8SmzdqhA4gUGTzHW2O 9kz7ZqZLZq6LXUF2Qg2eYoY9rfBjajq0PSZIzkpwWGVIF2hQnbtiDUwS RR/RliyBUsGyvom7LNug+527vQCCEu9GNWS9rSgqo2HY44+CYjqo0mpF Y58=
> .            518400    IN    NS    l.root-servers.net.
> .            518400    IN    NS    e.root-servers.net.
> .            518400    IN    NS    i.root-servers.net.
> .            518400    IN    NS    d.root-servers.net.
> .            518400    IN    NS    k.root-servers.net.
> .            518400    IN    NS    h.root-servers.net.
> .            518400    IN    NS    f.root-servers.net.
> .            518400    IN    NS    j.root-servers.net.
> .            518400    IN    NS    a.root-servers.net.
> .            518400    IN    NS    c.root-servers.net.
> .            518400    IN    NS    g.root-servers.net.
> .            518400    IN    NS    b.root-servers.net.
> .            518400    IN    NS    m.root-servers.net.
> .            86400    IN    RRSIG    SOA 8 0 86400 20100722000000 20100714230000 41248 . iJEabLsGHtCq8qrfSbMIjzPpBLqXa0aD5cBsIp9Sf/NF0VJQQ4nl/v+j 6NR6/KClkAz2VviWE4hLDzMWcil5qzZJLvqduDedk3QV+mBKNy3OVPdN IeyxK/nYtxVBJMKbynJ8pBm0vAL3TW1+0JEfD7IG0do5t84+32hQd9Mb Vn0=
> 
> ;; ADDITIONAL SECTION:
> a.root-servers.net.    3600000    IN    A    198.41.0.4
> b.root-servers.net.    3600000    IN    A    192.228.79.201
> c.root-servers.net.    3600000    IN    A    192.33.4.12
> d.root-servers.net.    3600000    IN    A    128.8.10.90
> e.root-servers.net.    3600000    IN    A    192.203.230.10
> f.root-servers.net.    3600000    IN    A    192.5.5.241
> g.root-servers.net.    3600000    IN    A    192.112.36.4
> h.root-servers.net.    3600000    IN    A    128.63.2.53
> i.root-servers.net.    3600000    IN    A    192.36.148.17
> j.root-servers.net.    3600000    IN    A    192.58.128.30
> k.root-servers.net.    3600000    IN    A    193.0.14.129
> l.root-servers.net.    3600000    IN    A    199.7.83.42
> m.root-servers.net.    3600000    IN    A    202.12.27.33
> a.root-servers.net.    3600000    IN    AAAA    2001:503:ba3e::2:30
> f.root-servers.net.    3600000    IN    AAAA    2001:500:2f::f
> h.root-servers.net.    3600000    IN    AAAA    2001:500:1::803f:235
> i.root-servers.net.    3600000    IN    AAAA    2001:7fe::53
> j.root-servers.net.    3600000    IN    AAAA    2001:503:c27::2:30
> k.root-servers.net.    3600000    IN    AAAA    2001:7fd::1
> l.root-servers.net.    3600000    IN    AAAA    2001:500:3::42
> m.root-servers.net.    3600000    IN    AAAA    2001:dc3::35
> 
> ;; Query time: 201 msec
> ;; SERVER: 192.5.5.241#53(192.5.5.241)
> ;; WHEN: Fri Jul 16 04:23:34 2010
> ;; MSG SIZE  rcvd: 1934
> 
> 
> _______________________________________________
> afnog mailing list
> http://afnog.org/mailman/listinfo/afnog
> 
> 




More information about the afnog mailing list