An interesting DNSSEC amplification
Posted Jul 15, 2010 2:21 UTC (Thu) by jake (editor, #205)
Hmm, coincidence I guess, cuz I don't know what it would be lined up with. Ignorance is bliss :)
Posted Jul 15, 2010 12:48 UTC (Thu) by cesarb (subscriber, #6266)
"Planned High Level Timeline
July 15, 2010: ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys The signed root zone is available."
That is, today.
Posted Jul 15, 2010 13:06 UTC (Thu) by rahulsundaram (subscriber, #21946)
Posted Jul 15, 2010 13:25 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
. 86085 IN RRSIG DNSKEY 8 0 86400 20100725235959 20100711000000 19036 . I4cENgcWP+mN7eoX8KqPhvOMcGB0MMOB6ooTbEKHPR9gk6sAcJvq04tC ncwBNiMY3JxzHajsLmMermTL0sVmXj8j6Ba3eTX+t4CsdnUBFfk8zDyb lIIlYwWKZ/x2aXmOjKIKMIC9w8Wnt8awoo45MWzlAT2wGU7gcCAKxJ+O FG/ev8eUXpNxpzRIQvuC7ZGOlELJrrTQCgubyMWOjGaY0MPzrei0Uwe9 2autHPcISBKghnp80zfLmkueSO8qmkbwHn6Jg5vFQ7mG/BKJ5mDXCX5k IjfBQPPe+I2FsGnl+2r9yAmT1n7xLzktKRwKpCwE265EUhDMq7e0P7gF khgEPA==
Posted Jul 15, 2010 14:05 UTC (Thu) by cesarb (subscriber, #6266)
$ dig . dnskey @f.root-servers.net
; <<>> DiG 9.5.1-P2.1 <<>> . dnskey @f.root-servers.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57513
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
. 86400 IN DNSKEY 257 3 8 AwEAAa7hd++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++8=
. 86400 IN DNSKEY 256 3 8 AwEAAa2Yy++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++++++++++++++++++++++++++++++++++++++++ +++++++8
;; Query time: 311 msec
;; SERVER: 2001:500:2f::f#53(2001:500:2f::f)
;; WHEN: Thu Jul 15 11:02:41 2010
;; MSG SIZE rcvd: 439
When it stops being masked like that, then it has gone live for real. Still 3 hours left according to the countdown at http://dns.icann.org/.
Posted Jul 15, 2010 14:08 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
BTW, what should be done in BIND to allow it to use the root key? Anything special besides the usual "dnssec-validate yes"?
I suspect that the root key must be manually added to the list of trusted anchors?
Posted Jul 15, 2010 14:32 UTC (Thu) by cesarb (subscriber, #6266)
I do not know whether ISC's DLV (http://www.isc.org/solutions/dlv) will be updated to use the DNS root key. If it is and you are already using ISC's DLV, you might not need to do anything at first (at least until it is shut down for not being needed anymore).
You can also simply wait for your distribution to update their packages, if you used it to configure DNSSEC (for instance, IIRC Fedora 13's bind package uses DNSSEC via ISC's DLV by default; it will not surprise me if it is updated soon to add the true DNS root key).
Posted Jul 15, 2010 14:37 UTC (Thu) by tialaramex (subscriber, #21167)
Eventually it is envisioned that OS vendors would provide and update these anchors, much as they all tend to offer timezone files updated with changes from the various civilian entities which claim authority to determine local time. The older anchors would become invalid after some period of time (I've forgotten, perhaps it's a year) and everyone would need to update often enough or switch off DNSSEC.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds