[afnog] first signed root zone-nairobi data
ALAIN AINA
aalain at trstech.net
Fri Jul 16 13:01:14 UTC 2010
Walu,
The data say....
The Local F-root serves signed root zone.
Your query to J-root did not reach the local instance. The local J-root not reachable or routing issue.....
So at least, the local anycast node of F-root in Nairobi is serving signed root zone and you should be good
Cheers
--alain
On Jul 16, 2010, at 11:59 AM, Walubengo J wrote:
> Alain,
>
> below is the Nairobi data. I suppose you will educate me on how to interprate it?
>
> walu.
>
> ; <<>> DiG 9.3.5-P1 <<>> @f.root-servers.net . soa +dnssec
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56929
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 22
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;. IN SOA
>
> ;; ANSWER SECTION:
> . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010071501 1800 900
> 604800 86400
> . 86400 IN RRSIG SOA 8 0 86400 20100722000000 20100714230000 41248 .
> iJEabLsGHtCq8qrfSbMIjzPpBLqXa0aD5cBsIp9Sf/NF0VJQQ4nl/v+j
> 6NR6/KClkAz2VviWE4hLDzMWcil5qzZJLvqduDedk3QV+mBKNy3OVPdN
> IeyxK/nYtxVBJMKbynJ8pBm0vAL3TW1+0JEfD7IG0do5t84+32hQd9Mb Vn0=
>
> ;; AUTHORITY SECTION:
> . 518400 IN NS h.root-servers.net.
> . 518400 IN NS m.root-servers.net.
> . 518400 IN NS f.root-servers.net.
> . 518400 IN NS b.root-servers.net.
> . 518400 IN NS k.root-servers.net.
> . 518400 IN NS g.root-servers.net.
> . 518400 IN NS a.root-servers.net.
> . 518400 IN NS j.root-servers.net.
> . 518400 IN NS e.root-servers.net.
> . 518400 IN NS l.root-servers.net.
> . 518400 IN NS d.root-servers.net.
> . 518400 IN NS c.root-servers.net.
> . 518400 IN NS i.root-servers.net.
> . 518400 IN RRSIG NS 8 0 518400 20100722000000 20100714230000 41248 .
> ohs6B6xof3LrglEMni5/gz9NY5M8MWx0qNVpzo8SmzdqhA4gUGTzHW2O
> 9kz7ZqZLZq6LXUF2Qg2eYoY9rfBjajq0PSZIzkpwWGVIF2hQnbtiDUwS
> RR/RliyBUsGyvom7LNug+527vQCCEu9GNWS9rSgqo2HY44+CYjqo0mpF Y58=
>
> ;; ADDITIONAL SECTION:
> a.root-servers.net. 3600000 IN A 198.41.0.4
> b.root-servers.net. 3600000 IN A 192.228.79.201
> c.root-servers.net. 3600000 IN A 192.33.4.12
> d.root-servers.net. 3600000 IN A 128.8.10.90
> e.root-servers.net. 3600000 IN A 192.203.230.10
> f.root-servers.net. 3600000 IN A 192.5.5.241
> g.root-servers.net. 3600000 IN A 192.112.36.4
> h.root-servers.net. 3600000 IN A 128.63.2.53
> i.root-servers.net. 3600000 IN A 192.36.148.17
> j.root-servers.net. 3600000 IN A 192.58.128.30
> k.root-servers.net. 3600000 IN A 193.0.14.129
> l.root-servers.net. 3600000 IN A 199.7.83.42
> m.root-servers.net. 3600000 IN A 202.12.27.33
> a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
> f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
> h.root-servers.net. 3600000 IN AAAA 2001:500:1::803f:235
> i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
> j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30
> k.root-servers.net. 3600000 IN AAAA 2001:7fd::1
> l.root-servers.net. 3600000 IN AAAA 2001:500:3::42
> m.root-servers.net. 3600000 IN AAAA 2001:dc3::35
>
> ;; Query time: 5 msec
> ;; SERVER: 192.5.5.241#53(192.5.5.241)
> ;; WHEN: Fri Jul 16 14:51:27 2010
> ;; MSG SIZE rcvd: 1044
>
> ============================
> ; <<>> DiG 9.3.5-P1 <<>> @j.root-servers.net . soa +dnssec
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27546
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 22
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;. IN SOA
>
> ;; ANSWER SECTION:
> . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010071501 1800 900
> 604800 86400
> . 86400 IN RRSIG SOA 8 0 86400 20100722000000 20100714230000 41248 .
> iJEabLsGHtCq8qrfSbMIjzPpBLqXa0aD5cBsIp9Sf/NF0VJQQ4nl/v+j
> 6NR6/KClkAz2VviWE4hLDzMWcil5qzZJLvqduDedk3QV+mBKNy3OVPdN
> IeyxK/nYtxVBJMKbynJ8pBm0vAL3TW1+0JEfD7IG0do5t84+32hQd9Mb Vn0=
>
> ;; AUTHORITY SECTION:
> . 518400 IN NS c.root-servers.net.
> . 518400 IN NS f.root-servers.net.
> . 518400 IN NS g.root-servers.net.
> . 518400 IN NS k.root-servers.net.
> . 518400 IN NS e.root-servers.net.
> . 518400 IN NS a.root-servers.net.
> . 518400 IN NS d.root-servers.net.
> . 518400 IN NS i.root-servers.net.
> . 518400 IN NS j.root-servers.net.
> . 518400 IN NS m.root-servers.net.
> . 518400 IN NS l.root-servers.net.
> . 518400 IN NS b.root-servers.net.
> . 518400 IN NS h.root-servers.net.
> . 518400 IN RRSIG NS 8 0 518400 20100722000000 20100714230000 41248 .
> ohs6B6xof3LrglEMni5/gz9NY5M8MWx0qNVpzo8SmzdqhA4gUGTzHW2O
> 9kz7ZqZLZq6LXUF2Qg2eYoY9rfBjajq0PSZIzkpwWGVIF2hQnbtiDUwS
> RR/RliyBUsGyvom7LNug+527vQCCEu9GNWS9rSgqo2HY44+CYjqo0mpF Y58=
>
> ;; ADDITIONAL SECTION:
> a.root-servers.net. 3600000 IN A 198.41.0.4
> a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
> b.root-servers.net. 3600000 IN A 192.228.79.201
> c.root-servers.net. 3600000 IN A 192.33.4.12
> d.root-servers.net. 3600000 IN A 128.8.10.90
> e.root-servers.net. 3600000 IN A 192.203.230.10
> f.root-servers.net. 3600000 IN A 192.5.5.241
> f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
> g.root-servers.net. 3600000 IN A 192.112.36.4
> h.root-servers.net. 3600000 IN A 128.63.2.53
> h.root-servers.net. 3600000 IN AAAA 2001:500:1::803f:235
> i.root-servers.net. 3600000 IN A 192.36.148.17
> i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
> j.root-servers.net. 3600000 IN A 192.58.128.30
> j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30
> k.root-servers.net. 3600000 IN A 193.0.14.129
> k.root-servers.net. 3600000 IN AAAA 2001:7fd::1
> l.root-servers.net. 3600000 IN A 199.7.83.42
> l.root-servers.net. 3600000 IN AAAA 2001:500:3::42
> m.root-servers.net. 3600000 IN A 202.12.27.33
> m.root-servers.net. 3600000 IN AAAA 2001:dc3::35
>
> ;; Query time: 1051 msec
> ;; SERVER: 192.58.128.30#53(192.58.128.30)
> ;; WHEN: Fri Jul 16 14:51:50 2010
> ;; MSG SIZE rcvd: 1044
>
> ========
>
> ; <<>> DiG 9.3.5-P1 <<>> +norec @F.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7134
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;HOSTNAME.BIND. CH TXT
>
> ;; ANSWER SECTION:
> HOSTNAME.BIND. 0 CH TXT "nbo1a.f.root-servers.org"
>
> ;; AUTHORITY SECTION:
> HOSTNAME.BIND. 0 CH NS HOSTNAME.BIND.
>
> ;; Query time: 4 msec
> ;; SERVER: 192.5.5.241#53(192.5.5.241)
> ;; WHEN: Fri Jul 16 14:52:48 2010
> ;; MSG SIZE rcvd: 82
>
> =====
>
> ; <<>> DiG 9.3.5-P1 <<>> +norec @J.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31427
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;HOSTNAME.BIND. CH TXT
>
> ;; ANSWER SECTION:
> HOSTNAME.BIND. 0 CH TXT "jns6-ams1"
>
> ;; AUTHORITY SECTION:
> HOSTNAME.BIND. 0 CH NS HOSTNAME.BIND.
>
> ;; Query time: 1034 msec
> ;; SERVER: 192.58.128.30#53(192.58.128.30)
> ;; WHEN: Fri Jul 16 14:53:03 2010
> ;; MSG SIZE rcvd: 67
>
>
>
> --- On Fri, 7/16/10, ALAIN AINA <aalain at trstech.net> wrote:
>
> From: ALAIN AINA <aalain at trstech.net>
> Subject: Re: [afnog] first signed root zone
> To: "Walubengo J" <jwalu at yahoo.com>
> Cc: afnog at afnog.org
> Date: Friday, July 16, 2010, 12:52 PM
>
>
> On Jul 16, 2010, at 8:01 AM, Walubengo J wrote:
>
> > Alain,
> >
> > nice to know. jst a quick qtn. Of what value (security-wise) would be a signed root server in relation to the many unsigned anycast (root) servers accross the globe?
> >
> > In other words, if the anycast server in Kenya is unsigned and it is handling my dns requests, then i dont get to benefit from the remote signed root server (right?)
>
>
> Can you provide from Nairobi :
>
> dig @f.root-servers.net . soa +dnssec
> dig @j.root-servers.net . soa +dnssec
>
> and
>
> dig +norec @F.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT
> dig +norec @J.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT
>
> thanks
>
>
> --alain
> >
> > walu.
> >
> > --- On Fri, 7/16/10, ALAIN AINA <aalain at trstech.net> wrote:
> >
> > From: ALAIN AINA <aalain at trstech.net>
> > Subject: [afnog] first signed root zone
> > To: afnog at afnog.org
> > Date: Friday, July 16, 2010, 8:48 AM
> >
> > Hi,
> >
> > First signed root zone published. serial number is 2010071501.
> >
> > Congratulations for people who make this happen.
> >
> > Now let's see if it breaks anything and how the TLD DS records will flow in the root zone.
> >
> > Do you remember our comment to NTIA enquiring about signing root zone ?
> >
> > http://www.ntia.doc.gov/DNS/comments/comment020.pdf
> >
> > Cheers
> >
> > --alain
> >
> >
> >
> >
> >
> > ; <<>> DiG 9.6.0-APPLE-P2 <<>> @f.root-servers.net . any +dnssec
> > ; (2 servers found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33797
> > ;; flags: qr aa rd; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 22
> > ;; WARNING: recursion requested but not available
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags: do; udp: 4096
> > ;; QUESTION SECTION:
> > ;. IN ANY
> >
> > ;; ANSWER SECTION:
> > . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010071501 1800 900 604800 86400
> > . 86400 IN RRSIG NSEC 8 0 86400 20100722000000 20100714230000 41248 . hRFnAY9bkRYKSVlnz8E1mG9QqRdoiK1UoMdPBO/mowHzJINUcFPYPXNS Mt74pesK7B0FAu4jEvzG+rXgD0D0e+t9RQXQLVYTMHIdA2qN6x+ujFV/ atbuVs+R8TAMUs1YO8fvFxWC/Be/eI63fzQXi7vy/kYOvujQF74jyjA8 Es4=
> > . 86400 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY
> > . 86400 IN RRSIG DNSKEY 8 0 86400 20100725235959 20100711000000 19036 . I4cENgcWP+mN7eoX8KqPhvOMcGB0MMOB6ooTbEKHPR9gk6sAcJvq04tC ncwBNiMY3JxzHajsLmMermTL0sVmXj8j6Ba3eTX+t4CsdnUBFfk8zDyb lIIlYwWKZ/x2aXmOjKIKMIC9w8Wnt8awoo45MWzlAT2wGU7gcCAKxJ+O FG/ev8eUXpNxpzRIQvuC7ZGOlELJrrTQCgubyMWOjGaY0MPzrei0Uwe9 2autHPcISBKghnp80zfLmkueSO8qmkbwHn6Jg5vFQ7mG/BKJ5mDXCX5k IjfBQPPe+I2FsGnl+2r9yAmT1n7xLzktKRwKpCwE265EUhDMq7e0P7gF khgEPA==
> > . 86400 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
> > . 86400 IN DNSKEY 256 3 8 AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467 QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQN DNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel 8Icy19hR
> > . 518400 IN RRSIG NS 8 0 518400 20100722000000 20100714230000 41248 . ohs6B6xof3LrglEMni5/gz9NY5M8MWx0qNVpzo8SmzdqhA4gUGTzHW2O 9kz7ZqZLZq6LXUF2Qg2eYoY9rfBjajq0PSZIzkpwWGVIF2hQnbtiDUwS RR/RliyBUsGyvom7LNug+527vQCCEu9GNWS9rSgqo2HY44+CYjqo0mpF Y58=
> > . 518400 IN NS l.root-servers.net.
> > . 518400 IN NS e.root-servers.net.
> > . 518400 IN NS i.root-servers.net.
> > . 518400 IN NS d.root-servers.net.
> > . 518400 IN NS k.root-servers.net.
> > . 518400 IN NS h.root-servers.net.
> > . 518400 IN NS f.root-servers.net.
> > . 518400 IN NS j.root-servers.net.
> > . 518400 IN NS a.root-servers.net.
> > . 518400 IN NS c.root-servers.net.
> > . 518400 IN NS g.root-servers.net.
> > . 518400 IN NS b.root-servers.net.
> > . 518400 IN NS m.root-servers.net.
> > . 86400 IN RRSIG SOA 8 0 86400 20100722000000 20100714230000 41248 . iJEabLsGHtCq8qrfSbMIjzPpBLqXa0aD5cBsIp9Sf/NF0VJQQ4nl/v+j 6NR6/KClkAz2VviWE4hLDzMWcil5qzZJLvqduDedk3QV+mBKNy3OVPdN IeyxK/nYtxVBJMKbynJ8pBm0vAL3TW1+0JEfD7IG0do5t84+32hQd9Mb Vn0=
> >
> > ;; ADDITIONAL SECTION:
> > a.root-servers.net. 3600000 IN A 198.41.0.4
> > b.root-servers.net. 3600000 IN A 192.228.79.201
> > c.root-servers.net. 3600000 IN A 192.33.4.12
> > d.root-servers.net. 3600000 IN A 128.8.10.90
> > e.root-servers.net. 3600000 IN A 192.203.230.10
> > f.root-servers.net. 3600000 IN A 192.5.5.241
> > g.root-servers.net. 3600000 IN A 192.112.36.4
> > h.root-servers.net. 3600000 IN A 128.63.2.53
> > i.root-servers.net. 3600000 IN A 192.36.148.17
> > j.root-servers.net. 3600000 IN A 192.58.128.30
> > k.root-servers.net. 3600000 IN A 193.0.14.129
> > l.root-servers.net. 3600000 IN A 199.7.83.42
> > m.root-servers.net. 3600000 IN A 202.12.27.33
> > a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
> > f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
> > h.root-servers.net. 3600000 IN AAAA 2001:500:1::803f:235
> > i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
> > j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30
> > k.root-servers.net. 3600000 IN AAAA 2001:7fd::1
> > l.root-servers.net. 3600000 IN AAAA 2001:500:3::42
> > m.root-servers.net. 3600000 IN AAAA 2001:dc3::35
> >
> > ;; Query time: 201 msec
> > ;; SERVER: 192.5.5.241#53(192.5.5.241)
> > ;; WHEN: Fri Jul 16 04:23:34 2010
> > ;; MSG SIZE rcvd: 1934
> >
> >
> > _______________________________________________
> > afnog mailing list
> > http://afnog.org/mailman/listinfo/afnog
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://afnog.org/pipermail/afnog/attachments/20100716/1d109b4d/attachment-0001.htm>
More information about the afnog
mailing list