[afnog] first signed root zone-nairobi data

ALAIN AINA aalain at trstech.net
Fri Jul 16 13:55:25 UTC 2010


Sorry, i did not elaborate . here it goes......


There are 2 instance root instances(all local nodes) in nairobi (F,J). See http://www.root-servers.org/

from the data you provided:

1- The answer from F-root takes 5msec and gives  Signature over RR-Set


> ; ANSWER SECTION:
> .                        86400        IN        SOA        a.root-servers.net. nstld.verisign-grs.com. 2010071501 1800 900
> 604800 86400
> .                        86400        IN        RRSIG        SOA 8 0 86400 20100722000000 20100714230000 41248 .
> iJEabLsGHtCq8qrfSbMIjzPpBLqXa0aD5cBsIp9Sf/NF0VJQQ4nl/v+j
> 6NR6/KClkAz2VviWE4hLDzMWcil5qzZJLvqduDedk3QV+mBKNy3OVPdN
> IeyxK/nYtxVBJMKbynJ8pBm0vAL3TW1+0JEfD7IG0do5t84+32hQd9Mb Vn0=


> ;; Query time: 5 msec
> ;; SERVER: 192.5.5.241#53(192.5.5.241)
> 

2- The query DiG 9.3.5-P1 <<>> +norec @F.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT shows:

> HOSTNAME.BIND.                0        CH        TXT        "nbo1a.f.root-servers.org"


According to http://www.isc.org/community/f-root/sites, you query went  to the F-root node in Nairobi.


3- Your query to J-root takes  1051 msec  and went  to a node somewhere in Amsterdam( "jns6-ams1"), which also gives signature over RR-Set

> ;; Query time: 1051 msec

> ;; ANSWER SECTION:
> HOSTNAME.BIND.                0        CH        TXT        "jns6-ams1"




Hope this helps

--alain


On Jul 16, 2010, at 11:59 AM, Walubengo J wrote:

> Alain,
> 
> below is the Nairobi data. I suppose you will educate me on how to interprate it?
> 
> walu.
> 
> ; <<>> DiG 9.3.5-P1 <<>> @f.root-servers.net . soa +dnssec
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56929
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 22
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;.                                IN        SOA
> 
> ;; ANSWER SECTION:
> .                        86400        IN        SOA        a.root-servers.net. nstld.verisign-grs.com. 2010071501 1800 900
> 604800 86400
> .                        86400        IN        RRSIG        SOA 8 0 86400 20100722000000 20100714230000 41248 .
> iJEabLsGHtCq8qrfSbMIjzPpBLqXa0aD5cBsIp9Sf/NF0VJQQ4nl/v+j
> 6NR6/KClkAz2VviWE4hLDzMWcil5qzZJLvqduDedk3QV+mBKNy3OVPdN
> IeyxK/nYtxVBJMKbynJ8pBm0vAL3TW1+0JEfD7IG0do5t84+32hQd9Mb Vn0=
> 
> ;; AUTHORITY SECTION:
> .                        518400        IN        NS        h.root-servers.net.
> .                        518400        IN        NS        m.root-servers.net.
> .                        518400        IN        NS        f.root-servers.net.
> .                        518400        IN        NS        b.root-servers.net.
> .                        518400        IN        NS        k.root-servers.net.
> .                        518400        IN        NS        g.root-servers.net.
> .                        518400        IN        NS        a.root-servers.net.
> .                        518400        IN        NS        j.root-servers.net.
> .                        518400        IN        NS        e.root-servers.net.
> .                        518400        IN        NS        l.root-servers.net.
> .                        518400        IN        NS        d.root-servers.net.
> .                        518400        IN        NS        c.root-servers.net.
> .                        518400        IN        NS        i.root-servers.net.
> .                        518400        IN        RRSIG        NS 8 0 518400 20100722000000 20100714230000 41248 .
> ohs6B6xof3LrglEMni5/gz9NY5M8MWx0qNVpzo8SmzdqhA4gUGTzHW2O
> 9kz7ZqZLZq6LXUF2Qg2eYoY9rfBjajq0PSZIzkpwWGVIF2hQnbtiDUwS
> RR/RliyBUsGyvom7LNug+527vQCCEu9GNWS9rSgqo2HY44+CYjqo0mpF Y58=
> 
> ;; ADDITIONAL SECTION:
> a.root-servers.net.        3600000        IN        A        198.41.0.4
> b.root-servers.net.        3600000        IN        A        192.228.79.201
> c.root-servers.net.        3600000        IN        A        192.33.4.12
> d.root-servers.net.        3600000        IN        A        128.8.10.90
> e.root-servers.net.        3600000        IN        A        192.203.230.10
> f.root-servers.net.        3600000        IN        A        192.5.5.241
> g.root-servers.net.        3600000        IN        A        192.112.36.4
> h.root-servers.net.        3600000        IN        A        128.63.2.53
> i.root-servers.net.        3600000        IN        A        192.36.148.17
> j.root-servers.net.        3600000        IN        A        192.58.128.30
> k.root-servers.net.        3600000        IN        A        193.0.14.129
> l.root-servers.net.        3600000        IN        A        199.7.83.42
> m.root-servers.net.        3600000        IN        A        202.12.27.33
> a.root-servers.net.        3600000        IN        AAAA        2001:503:ba3e::2:30
> f.root-servers.net.        3600000        IN        AAAA        2001:500:2f::f
> h.root-servers.net.        3600000        IN        AAAA        2001:500:1::803f:235
> i.root-servers.net.        3600000        IN        AAAA        2001:7fe::53
> j.root-servers.net.        3600000        IN        AAAA        2001:503:c27::2:30
> k.root-servers.net.        3600000        IN        AAAA        2001:7fd::1
> l.root-servers.net.        3600000        IN        AAAA        2001:500:3::42
> m.root-servers.net.        3600000        IN        AAAA        2001:dc3::35
> 
> ;; Query time: 5 msec
> ;; SERVER: 192.5.5.241#53(192.5.5.241)
> ;; WHEN: Fri Jul 16 14:51:27 2010
> ;; MSG SIZE  rcvd: 1044
> 
> ============================
> ; <<>> DiG 9.3.5-P1 <<>> @j.root-servers.net . soa +dnssec
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27546
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 22
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;.                                IN        SOA
> 
> ;; ANSWER SECTION:
> .                        86400        IN        SOA        a.root-servers.net. nstld.verisign-grs.com. 2010071501 1800 900
> 604800 86400
> .                        86400        IN        RRSIG        SOA 8 0 86400 20100722000000 20100714230000 41248 .
> iJEabLsGHtCq8qrfSbMIjzPpBLqXa0aD5cBsIp9Sf/NF0VJQQ4nl/v+j
> 6NR6/KClkAz2VviWE4hLDzMWcil5qzZJLvqduDedk3QV+mBKNy3OVPdN
> IeyxK/nYtxVBJMKbynJ8pBm0vAL3TW1+0JEfD7IG0do5t84+32hQd9Mb Vn0=
> 
> ;; AUTHORITY SECTION:
> .                        518400        IN        NS        c.root-servers.net.
> .                        518400        IN        NS        f.root-servers.net.
> .                        518400        IN        NS        g.root-servers.net.
> .                        518400        IN        NS        k.root-servers.net.
> .                        518400        IN        NS        e.root-servers.net.
> .                        518400        IN        NS        a.root-servers.net.
> .                        518400        IN        NS        d.root-servers.net.
> .                        518400        IN        NS        i.root-servers.net.
> .                        518400        IN        NS        j.root-servers.net.
> .                        518400        IN        NS        m.root-servers.net.
> .                        518400        IN        NS        l.root-servers.net.
> .                        518400        IN        NS        b.root-servers.net.
> .                        518400        IN        NS        h.root-servers.net.
> .                        518400        IN        RRSIG        NS 8 0 518400 20100722000000 20100714230000 41248 .
> ohs6B6xof3LrglEMni5/gz9NY5M8MWx0qNVpzo8SmzdqhA4gUGTzHW2O
> 9kz7ZqZLZq6LXUF2Qg2eYoY9rfBjajq0PSZIzkpwWGVIF2hQnbtiDUwS
> RR/RliyBUsGyvom7LNug+527vQCCEu9GNWS9rSgqo2HY44+CYjqo0mpF Y58=
> 
> ;; ADDITIONAL SECTION:
> a.root-servers.net.        3600000        IN        A        198.41.0.4
> a.root-servers.net.        3600000        IN        AAAA        2001:503:ba3e::2:30
> b.root-servers.net.        3600000        IN        A        192.228.79.201
> c.root-servers.net.        3600000        IN        A        192.33.4.12
> d.root-servers.net.        3600000        IN        A        128.8.10.90
> e.root-servers.net.        3600000        IN        A        192.203.230.10
> f.root-servers.net.        3600000        IN        A        192.5.5.241
> f.root-servers.net.        3600000        IN        AAAA        2001:500:2f::f
> g.root-servers.net.        3600000        IN        A        192.112.36.4
> h.root-servers.net.        3600000        IN        A        128.63.2.53
> h.root-servers.net.        3600000        IN        AAAA        2001:500:1::803f:235
> i.root-servers.net.        3600000        IN        A        192.36.148.17
> i.root-servers.net.        3600000        IN        AAAA        2001:7fe::53
> j.root-servers.net.        3600000        IN        A        192.58.128.30
> j.root-servers.net.        3600000        IN        AAAA        2001:503:c27::2:30
> k.root-servers.net.        3600000        IN        A        193.0.14.129
> k.root-servers.net.        3600000        IN        AAAA        2001:7fd::1
> l.root-servers.net.        3600000        IN        A        199.7.83.42
> l.root-servers.net.        3600000        IN        AAAA        2001:500:3::42
> m.root-servers.net.        3600000        IN        A        202.12.27.33
> m.root-servers.net.        3600000        IN        AAAA        2001:dc3::35
> 
> ;; Query time: 1051 msec
> ;; SERVER: 192.58.128.30#53(192.58.128.30)
> ;; WHEN: Fri Jul 16 14:51:50 2010
> ;; MSG SIZE  rcvd: 1044
> 
> ========
> 
> ; <<>> DiG 9.3.5-P1 <<>> +norec @F.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7134
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;HOSTNAME.BIND.                        CH        TXT
> 
> ;; ANSWER SECTION:
> HOSTNAME.BIND.                0        CH        TXT        "nbo1a.f.root-servers.org"
> 
> ;; AUTHORITY SECTION:
> HOSTNAME.BIND.                0        CH        NS        HOSTNAME.BIND.
> 
> ;; Query time: 4 msec
> ;; SERVER: 192.5.5.241#53(192.5.5.241)
> ;; WHEN: Fri Jul 16 14:52:48 2010
> ;; MSG SIZE  rcvd: 82
> 
> =====
> 
> ; <<>> DiG 9.3.5-P1 <<>> +norec @J.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31427
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;HOSTNAME.BIND.                        CH        TXT
> 
> ;; ANSWER SECTION:
> HOSTNAME.BIND.                0        CH        TXT        "jns6-ams1"
> 
> ;; AUTHORITY SECTION:
> HOSTNAME.BIND.                0        CH        NS        HOSTNAME.BIND.
> 
> ;; Query time: 1034 msec
> ;; SERVER: 192.58.128.30#53(192.58.128.30)
> ;; WHEN: Fri Jul 16 14:53:03 2010
> ;; MSG SIZE  rcvd: 67
> 
> 
> 
> --- On Fri, 7/16/10, ALAIN AINA <aalain at trstech.net> wrote:
> 
> From: ALAIN AINA <aalain at trstech.net>
> Subject: Re: [afnog] first signed root zone
> To: "Walubengo J" <jwalu at yahoo.com>
> Cc: afnog at afnog.org
> Date: Friday, July 16, 2010, 12:52 PM
> 
> 
> On Jul 16, 2010, at 8:01 AM, Walubengo J wrote:
> 
> > Alain,
> > 
> > nice to know. jst a quick qtn.  Of what value (security-wise) would be a signed root server in relation to the many unsigned anycast (root) servers accross the globe? 
> > 
> > In other words, if the anycast server in Kenya is unsigned and it is handling my dns requests, then i dont get to benefit from the remote signed root server (right?)
> 
> 
> Can you provide  from Nairobi :
> 
> dig @f.root-servers.net  .  soa +dnssec 
> dig @j.root-servers.net .  soa +dnssec
> 
> and 
> 
> dig +norec @F.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT
> dig +norec @J.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT
> 
> thanks
> 
> 
> --alain
> > 
> > walu.
> > 
> > --- On Fri, 7/16/10, ALAIN AINA <aalain at trstech.net> wrote:
> > 
> > From: ALAIN AINA <aalain at trstech.net>
> > Subject: [afnog] first signed root zone
> > To: afnog at afnog.org
> > Date: Friday, July 16, 2010, 8:48 AM
> > 
> > Hi,
> > 
> > First signed root zone published. serial number is 2010071501.
> > 
> > Congratulations for people who make this happen.
> > 
> > Now let's see if it breaks anything  and how the TLD DS records will flow in the root zone.
> > 
> > Do you remember  our comment to NTIA enquiring about signing root zone ?
> > 
> > http://www.ntia.doc.gov/DNS/comments/comment020.pdf
> > 
> > Cheers
> > 
> > --alain
> > 
> > 
> > 
> > 
> > 
> > ; <<>> DiG 9.6.0-APPLE-P2 <<>> @f.root-servers.net . any +dnssec
> > ; (2 servers found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33797
> > ;; flags: qr aa rd; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 22
> > ;; WARNING: recursion requested but not available
> > 
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags: do; udp: 4096
> > ;; QUESTION SECTION:
> > ;.                IN    ANY
> > 
> > ;; ANSWER SECTION:
> > .            86400    IN    SOA    a.root-servers.net. nstld.verisign-grs.com. 2010071501 1800 900 604800 86400
> > .            86400    IN    RRSIG    NSEC 8 0 86400 20100722000000 20100714230000 41248 . hRFnAY9bkRYKSVlnz8E1mG9QqRdoiK1UoMdPBO/mowHzJINUcFPYPXNS Mt74pesK7B0FAu4jEvzG+rXgD0D0e+t9RQXQLVYTMHIdA2qN6x+ujFV/ atbuVs+R8TAMUs1YO8fvFxWC/Be/eI63fzQXi7vy/kYOvujQF74jyjA8 Es4=
> > .            86400    IN    NSEC    ac. NS SOA RRSIG NSEC DNSKEY
> > .            86400    IN    RRSIG    DNSKEY 8 0 86400 20100725235959 20100711000000 19036 . I4cENgcWP+mN7eoX8KqPhvOMcGB0MMOB6ooTbEKHPR9gk6sAcJvq04tC ncwBNiMY3JxzHajsLmMermTL0sVmXj8j6Ba3eTX+t4CsdnUBFfk8zDyb lIIlYwWKZ/x2aXmOjKIKMIC9w8Wnt8awoo45MWzlAT2wGU7gcCAKxJ+O FG/ev8eUXpNxpzRIQvuC7ZGOlELJrrTQCgubyMWOjGaY0MPzrei0Uwe9 2autHPcISBKghnp80zfLmkueSO8qmkbwHn6Jg5vFQ7mG/BKJ5mDXCX5k IjfBQPPe+I2FsGnl+2r9yAmT1n7xLzktKRwKpCwE265EUhDMq7e0P7gF khgEPA==
> > .            86400    IN    DNSKEY    257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
> > .            86400    IN    DNSKEY    256 3 8 AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467 QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQN DNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel 8Icy19hR
> > .            518400    IN    RRSIG    NS 8 0 518400 20100722000000 20100714230000 41248 . ohs6B6xof3LrglEMni5/gz9NY5M8MWx0qNVpzo8SmzdqhA4gUGTzHW2O 9kz7ZqZLZq6LXUF2Qg2eYoY9rfBjajq0PSZIzkpwWGVIF2hQnbtiDUwS RR/RliyBUsGyvom7LNug+527vQCCEu9GNWS9rSgqo2HY44+CYjqo0mpF Y58=
> > .            518400    IN    NS    l.root-servers.net.
> > .            518400    IN    NS    e.root-servers.net.
> > .            518400    IN    NS    i.root-servers.net.
> > .            518400    IN    NS    d.root-servers.net.
> > .            518400    IN    NS    k.root-servers.net.
> > .            518400    IN    NS    h.root-servers.net.
> > .            518400    IN    NS    f.root-servers.net.
> > .            518400    IN    NS    j.root-servers.net.
> > .            518400    IN    NS    a.root-servers.net.
> > .            518400    IN    NS    c.root-servers.net.
> > .            518400    IN    NS    g.root-servers.net.
> > .            518400    IN    NS    b.root-servers.net.
> > .            518400    IN    NS    m.root-servers.net.
> > .            86400    IN    RRSIG    SOA 8 0 86400 20100722000000 20100714230000 41248 . iJEabLsGHtCq8qrfSbMIjzPpBLqXa0aD5cBsIp9Sf/NF0VJQQ4nl/v+j 6NR6/KClkAz2VviWE4hLDzMWcil5qzZJLvqduDedk3QV+mBKNy3OVPdN IeyxK/nYtxVBJMKbynJ8pBm0vAL3TW1+0JEfD7IG0do5t84+32hQd9Mb Vn0=
> > 
> > ;; ADDITIONAL SECTION:
> > a.root-servers.net.    3600000    IN    A    198.41.0.4
> > b.root-servers.net.    3600000    IN    A    192.228.79.201
> > c.root-servers.net.    3600000    IN    A    192.33.4.12
> > d.root-servers.net.    3600000    IN    A    128.8.10.90
> > e.root-servers.net.    3600000    IN    A    192.203.230.10
> > f.root-servers.net.    3600000    IN    A    192.5.5.241
> > g.root-servers.net.    3600000    IN    A    192.112.36.4
> > h.root-servers.net.    3600000    IN    A    128.63.2.53
> > i.root-servers.net.    3600000    IN    A    192.36.148.17
> > j.root-servers.net.    3600000    IN    A    192.58.128.30
> > k.root-servers.net.    3600000    IN    A    193.0.14.129
> > l.root-servers.net.    3600000    IN    A    199.7.83.42
> > m.root-servers.net.    3600000    IN    A    202.12.27.33
> > a.root-servers.net.    3600000    IN    AAAA    2001:503:ba3e::2:30
> > f.root-servers.net.    3600000    IN    AAAA    2001:500:2f::f
> > h.root-servers.net.    3600000    IN    AAAA    2001:500:1::803f:235
> > i.root-servers.net.    3600000    IN    AAAA    2001:7fe::53
> > j.root-servers.net.    3600000    IN    AAAA    2001:503:c27::2:30
> > k.root-servers.net.    3600000    IN    AAAA    2001:7fd::1
> > l.root-servers.net.    3600000    IN    AAAA    2001:500:3::42
> > m.root-servers.net.    3600000    IN    AAAA    2001:dc3::35
> > 
> > ;; Query time: 201 msec
> > ;; SERVER: 192.5.5.241#53(192.5.5.241)
> > ;; WHEN: Fri Jul 16 04:23:34 2010
> > ;; MSG SIZE  rcvd: 1934
> > 
> > 
> > _______________________________________________
> > afnog mailing list
> > http://afnog.org/mailman/listinfo/afnog
> > 
> > 
> 
> 




More information about the afnog mailing list