User: Password:
Subscribe / Log in / New account

An interesting DNSSEC amplification

An interesting DNSSEC amplification

Posted Jul 15, 2010 14:05 UTC (Thu) by cesarb (subscriber, #6266)
In reply to: An interesting DNSSEC amplification by Cyberax
Parent article: An interesting DNSSEC amplification

Nope, wrong query. You are looking at the RRSIG. Look instead at the DNSKEY:

$ dig . dnskey

; <<>> DiG 9.5.1-P2.1 <<>> . dnskey
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57513
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available


. 86400 IN DNSKEY 257 3 8 AwEAAa7hd++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++8=
. 86400 IN DNSKEY 256 3 8 AwEAAa2Yy++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++++++++++++++++++++++++++++++++++++++++ +++++++8

;; Query time: 311 msec
;; SERVER: 2001:500:2f::f#53(2001:500:2f::f)
;; WHEN: Thu Jul 15 11:02:41 2010
;; MSG SIZE rcvd: 439

When it stops being masked like that, then it has gone live for real. Still 3 hours left according to the countdown at

(Log in to post comments)

An interesting DNSSEC amplification

Posted Jul 15, 2010 14:08 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

I was wrong. Thanks for correction!

BTW, what should be done in BIND to allow it to use the root key? Anything special besides the usual "dnssec-validate yes"?

I suspect that the root key must be manually added to the list of trusted anchors?

An interesting DNSSEC amplification

Posted Jul 15, 2010 14:32 UTC (Thu) by cesarb (subscriber, #6266) [Link]

Yes, AFAIK you will need to add it manually as a trust anchor. Be sure to have some way to deal with key rollover (or it will mysteriously stop working as a DNS server at some point in the future). I would recommend using "managed-keys" instead of "trusted-keys" to avoid any problems (see the fine manual at

I do not know whether ISC's DLV ( will be updated to use the DNS root key. If it is and you are already using ISC's DLV, you might not need to do anything at first (at least until it is shut down for not being needed anymore).

You can also simply wait for your distribution to update their packages, if you used it to configure DNSSEC (for instance, IIRC Fedora 13's bind package uses DNSSEC via ISC's DLV by default; it will not surprise me if it is updated soon to add the true DNS root key).

An interesting DNSSEC amplification

Posted Jul 15, 2010 14:37 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

Yes, you should obtain and validate (the files will be GnuPG signed, and it is hoped that the people who sign are well connected in the web of trust) anchors for the root zone.

Eventually it is envisioned that OS vendors would provide and update these anchors, much as they all tend to offer timezone files updated with changes from the various civilian entities which claim authority to determine local time. The older anchors would become invalid after some period of time (I've forgotten, perhaps it's a year) and everyone would need to update often enough or switch off DNSSEC.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds