| |||||||||||||
An interesting DNSSEC amplificationAn interesting DNSSEC amplificationPosted Jul 15, 2010 12:48 UTC (Thu) by cesarb (subscriber, #6266)In reply to: An interesting DNSSEC amplification by jake Parent article: An interesting DNSSEC amplification
http://www.root-dnssec.org/
"Planned High Level Timeline
[...]
July 15, 2010: ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys The signed root zone is available."
That is, today.
(Log in to post comments)
An interesting DNSSEC amplification Posted Jul 15, 2010 13:06 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]
I had assumed it was related to
An interesting DNSSEC amplification Posted Jul 15, 2010 13:25 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
It happened!
=====================================
An interesting DNSSEC amplification Posted Jul 15, 2010 14:05 UTC (Thu) by cesarb (subscriber, #6266) [Link]
Nope, wrong query. You are looking at the RRSIG. Look instead at the DNSKEY:
$ dig . dnskey @f.root-servers.net
; <<>> DiG 9.5.1-P2.1 <<>> . dnskey @f.root-servers.net
;; QUESTION SECTION:
;; ANSWER SECTION:
;; Query time: 311 msec
When it stops being masked like that, then it has gone live for real. Still 3 hours left according to the countdown at http://dns.icann.org/.
An interesting DNSSEC amplification Posted Jul 15, 2010 14:08 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
I was wrong. Thanks for correction!
BTW, what should be done in BIND to allow it to use the root key? Anything special besides the usual "dnssec-validate yes"?
I suspect that the root key must be manually added to the list of trusted anchors?
An interesting DNSSEC amplification Posted Jul 15, 2010 14:32 UTC (Thu) by cesarb (subscriber, #6266) [Link]
Yes, AFAIK you will need to add it manually as a trust anchor. Be sure to have some way to deal with key rollover (or it will mysteriously stop working as a DNS server at some point in the future). I would recommend using "managed-keys" instead of "trusted-keys" to avoid any problems (see the fine manual at http://oldwww.isc.org/sw/bind/arm97/Bv9ARM.ch06.html#id25...).
I do not know whether ISC's DLV (http://www.isc.org/solutions/dlv) will be updated to use the DNS root key. If it is and you are already using ISC's DLV, you might not need to do anything at first (at least until it is shut down for not being needed anymore).
You can also simply wait for your distribution to update their packages, if you used it to configure DNSSEC (for instance, IIRC Fedora 13's bind package uses DNSSEC via ISC's DLV by default; it will not surprise me if it is updated soon to add the true DNS root key).
An interesting DNSSEC amplification Posted Jul 15, 2010 14:37 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
Yes, you should obtain and validate (the files will be GnuPG signed, and it is hoped that the people who sign are well connected in the web of trust) anchors for the root zone.
Eventually it is envisioned that OS vendors would provide and update these anchors, much as they all tend to offer timezone files updated with changes from the various civilian entities which claim authority to determine local time. The older anchors would become invalid after some period of time (I've forgotten, perhaps it's a year) and everyone would need to update often enough or switch off DNSSEC.
|
|||||||||||||