User: Password:
|
|
Subscribe / Log in / New account

An interesting DNSSEC amplification

An interesting DNSSEC amplification

Posted Jul 15, 2010 2:09 UTC (Thu) by tialaramex (subscriber, #21167)
Parent article: An interesting DNSSEC amplification

Was the timing of this article a coincidence or deliberate?


(Log in to post comments)

An interesting DNSSEC amplification

Posted Jul 15, 2010 2:21 UTC (Thu) by jake (editor, #205) [Link]

> Was the timing of this article a coincidence or deliberate?

Hmm, coincidence I guess, cuz I don't know what it would be lined up with. Ignorance is bliss :)

jake

An interesting DNSSEC amplification

Posted Jul 15, 2010 12:48 UTC (Thu) by cesarb (subscriber, #6266) [Link]

http://www.root-dnssec.org/

"Planned High Level Timeline

[...]

July 15, 2010: ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys – The signed root zone is available."

That is, today.

An interesting DNSSEC amplification

Posted Jul 15, 2010 13:06 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

I had assumed it was related to

http://fedoraproject.org/wiki/Features/DNSSEC

An interesting DNSSEC amplification

Posted Jul 15, 2010 13:25 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

It happened!

=====================================
. 86085 IN RRSIG DNSKEY 8 0 86400 20100725235959 20100711000000 19036 . I4cENgcWP+mN7eoX8KqPhvOMcGB0MMOB6ooTbEKHPR9gk6sAcJvq04tC ncwBNiMY3JxzHajsLmMermTL0sVmXj8j6Ba3eTX+t4CsdnUBFfk8zDyb lIIlYwWKZ/x2aXmOjKIKMIC9w8Wnt8awoo45MWzlAT2wGU7gcCAKxJ+O FG/ev8eUXpNxpzRIQvuC7ZGOlELJrrTQCgubyMWOjGaY0MPzrei0Uwe9 2autHPcISBKghnp80zfLmkueSO8qmkbwHn6Jg5vFQ7mG/BKJ5mDXCX5k IjfBQPPe+I2FsGnl+2r9yAmT1n7xLzktKRwKpCwE265EUhDMq7e0P7gF khgEPA==
=====================================

An interesting DNSSEC amplification

Posted Jul 15, 2010 14:05 UTC (Thu) by cesarb (subscriber, #6266) [Link]

Nope, wrong query. You are looking at the RRSIG. Look instead at the DNSKEY:

$ dig . dnskey @f.root-servers.net

; <<>> DiG 9.5.1-P2.1 <<>> . dnskey @f.root-servers.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57513
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;. IN DNSKEY

;; ANSWER SECTION:
. 86400 IN DNSKEY 257 3 8 AwEAAa7hd++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++8=
. 86400 IN DNSKEY 256 3 8 AwEAAa2Yy++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++++++++++++++++++++++++++++++++++++++++ +++++++8

;; Query time: 311 msec
;; SERVER: 2001:500:2f::f#53(2001:500:2f::f)
;; WHEN: Thu Jul 15 11:02:41 2010
;; MSG SIZE rcvd: 439

When it stops being masked like that, then it has gone live for real. Still 3 hours left according to the countdown at http://dns.icann.org/.

An interesting DNSSEC amplification

Posted Jul 15, 2010 14:08 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

I was wrong. Thanks for correction!

BTW, what should be done in BIND to allow it to use the root key? Anything special besides the usual "dnssec-validate yes"?

I suspect that the root key must be manually added to the list of trusted anchors?

An interesting DNSSEC amplification

Posted Jul 15, 2010 14:32 UTC (Thu) by cesarb (subscriber, #6266) [Link]

Yes, AFAIK you will need to add it manually as a trust anchor. Be sure to have some way to deal with key rollover (or it will mysteriously stop working as a DNS server at some point in the future). I would recommend using "managed-keys" instead of "trusted-keys" to avoid any problems (see the fine manual at http://oldwww.isc.org/sw/bind/arm97/Bv9ARM.ch06.html#id25...).

I do not know whether ISC's DLV (http://www.isc.org/solutions/dlv) will be updated to use the DNS root key. If it is and you are already using ISC's DLV, you might not need to do anything at first (at least until it is shut down for not being needed anymore).

You can also simply wait for your distribution to update their packages, if you used it to configure DNSSEC (for instance, IIRC Fedora 13's bind package uses DNSSEC via ISC's DLV by default; it will not surprise me if it is updated soon to add the true DNS root key).

An interesting DNSSEC amplification

Posted Jul 15, 2010 14:37 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

Yes, you should obtain and validate (the files will be GnuPG signed, and it is hoped that the people who sign are well connected in the web of trust) anchors for the root zone.

Eventually it is envisioned that OS vendors would provide and update these anchors, much as they all tend to offer timezone files updated with changes from the various civilian entities which claim authority to determine local time. The older anchors would become invalid after some period of time (I've forgotten, perhaps it's a year) and everyone would need to update often enough or switch off DNSSEC.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds