[afnog] first signed root zone

Frank Habicht geier at geier.ne.tz
Fri Jul 16 09:07:26 UTC 2010


Hi,

better first check if your assumption
(that the one in KE is not signed) is correct.
The one in TZ gives signatures.

Frank



[frank at cacti ~]$ dig @k.root-servers.net . any +dnssec

; <<>> DiG ... <<>> @k.root-servers.net . any +dnssec
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64419
;; flags: qr aa rd; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 22

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.                              IN      ANY

;; ANSWER SECTION:
.                       86400   IN      SOA     a.root-servers.net.
nstld.verisign-grs.com. 2010071501 1800 900 604800 86400
.                       86400   IN      RRSIG   SOA 8 0 86400
20100722000000 20100714230000 41248 .
iJEabLsGHtCq8qrfSbMIjzPpBLqXa0aD5cBsIp9Sf/NF0VJQQ4nl/v+j
6NR6/KClkAz2VviWE4hLDzMWcil5qzZJLvqduDedk3QV+mBKNy3OVPdN
IeyxK/nYtxVBJMKbynJ8pBm0vAL3TW1+0JEfD7IG0do5t84+32hQd9Mb Vn0=
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.
.                       518400  IN      RRSIG   NS 8 0 518400
20100722000000 20100714230000 41248 .
ohs6B6xof3LrglEMni5/gz9NY5M8MWx0qNVpzo8SmzdqhA4gUGTzHW2O
9kz7ZqZLZq6LXUF2Qg2eYoY9rfBjajq0PSZIzkpwWGVIF2hQnbtiDUwS
RR/RliyBUsGyvom7LNug+527vQCCEu9GNWS9rSgqo2HY44+CYjqo0mpF Y58=
.                       86400   IN      DNSKEY  256 3 8
AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467
QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQN
DNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel 8Icy19hR
.                       86400   IN      DNSKEY  257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
.                       86400   IN      RRSIG   DNSKEY 8 0 86400
20100725235959 20100711000000 19036 .
I4cENgcWP+mN7eoX8KqPhvOMcGB0MMOB6ooTbEKHPR9gk6sAcJvq04tC
ncwBNiMY3JxzHajsLmMermTL0sVmXj8j6Ba3eTX+t4CsdnUBFfk8zDyb
lIIlYwWKZ/x2aXmOjKIKMIC9w8Wnt8awoo45MWzlAT2wGU7gcCAKxJ+O
FG/ev8eUXpNxpzRIQvuC7ZGOlELJrrTQCgubyMWOjGaY0MPzrei0Uwe9
2autHPcISBKghnp80zfLmkueSO8qmkbwHn6Jg5vFQ7mG/BKJ5mDXCX5k
IjfBQPPe+I2FsGnl+2r9yAmT1n7xLzktKRwKpCwE265EUhDMq7e0P7gF khgEPA==
.                       86400   IN      NSEC    ac. NS SOA RRSIG NSEC DNSKEY
.                       86400   IN      RRSIG   NSEC 8 0 86400
20100722000000 20100714230000 41248 .
hRFnAY9bkRYKSVlnz8E1mG9QqRdoiK1UoMdPBO/mowHzJINUcFPYPXNS
Mt74pesK7B0FAu4jEvzG+rXgD0D0e+t9RQXQLVYTMHIdA2qN6x+ujFV/
atbuVs+R8TAMUs1YO8fvFxWC/Be/eI63fzQXi7vy/kYOvujQF74jyjA8 Es4=

;; ADDITIONAL SECTION:
a.root-servers.net.     518400  IN      A       198.41.0.4
b.root-servers.net.     518400  IN      A       192.228.79.201
c.root-servers.net.     518400  IN      A       192.33.4.12
d.root-servers.net.     518400  IN      A       128.8.10.90
e.root-servers.net.     518400  IN      A       192.203.230.10
f.root-servers.net.     518400  IN      A       192.5.5.241
g.root-servers.net.     518400  IN      A       192.112.36.4
h.root-servers.net.     518400  IN      A       128.63.2.53
i.root-servers.net.     518400  IN      A       192.36.148.17
j.root-servers.net.     518400  IN      A       192.58.128.30
k.root-servers.net.     518400  IN      A       193.0.14.129
l.root-servers.net.     518400  IN      A       199.7.83.42
m.root-servers.net.     518400  IN      A       202.12.27.33
a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30
f.root-servers.net.     518400  IN      AAAA    2001:500:2f::f
h.root-servers.net.     518400  IN      AAAA    2001:500:1::803f:235
i.root-servers.net.     518400  IN      AAAA    2001:7fe::53
j.root-servers.net.     518400  IN      AAAA    2001:503:c27::2:30
k.root-servers.net.     518400  IN      AAAA    2001:7fd::1
l.root-servers.net.     518400  IN      AAAA    2001:500:3::42
m.root-servers.net.     518400  IN      AAAA    2001:dc3::35

;; Query time: 5 msec
;; SERVER: 193.0.14.129#53(193.0.14.129)
;; WHEN: Fri Jul 16 09:07:25 2010


On 7/16/2010 11:01 AM, Walubengo J wrote:
> Alain,
> 
> nice to know. jst a quick qtn.  Of what value (security-wise) would be a
> signed root server in relation to the many unsigned anycast (root)
> servers accross the globe?
> 
> In other words, if the anycast server in Kenya is unsigned and it is
> handling my dns requests, then i dont get to benefit from the remote
> signed root server (right?)
> 
> walu.



More information about the afnog mailing list