[afnog] Signing root zone

alain aina aalain at trstech.net
Thu Nov 6 16:30:01 UTC 2008


On Nov 6, 2008, at 1:33 PM, Stephane Bortzmeyer wrote:

> On Thu, Nov 06, 2008 at 09:40:41AM +0000,
> alain aina <aalain at trstech.net> wrote
> a message of 18 lines which said:
>
>> Just wondering if  people here are informed about what is going about
>> DNSSEC deployment
>
> BTW, trstech.net is *not* resolvable with a DNSSEC resolver using
> DLV. There is a DLV record at dlv.isc.org but the zone is not signed
> (the DNSSEC equivalent of a lame delegation).
>
> As a result, my BIND resolver yielded SERVFAIL.



As you noticed and the dig  below confirmed  trstech.net was one of  
first users of ISC DLV.  It does not scale and work exactly how we  
expect it and we  abandon it for now.


; <<>> DiG 9.4.2-P2 <<>> @ns-ext.isc.org trstech.net.dlv.isc.org dlv
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46271
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7

;; QUESTION SECTION:
;trstech.net.dlv.isc.org.	IN	DLV

;; ANSWER SECTION:
trstech.net.dlv.isc.org. 3600	IN	DLV	36472 5 1  
0B4B9F5A6CA4B0C800D2B432F1D206F176E8E00F
trstech.net.dlv.isc.org. 3600	IN	DLV	36472 5 2  
FB0DA57E6C06EA0CF636C47016DCE1DAC81142A3FCA389D2CBA829FC 2E0EABE0

[.............]
;; Query time: 120 msec
;; SERVER: 204.152.184.64#53(204.152.184.64)
;; WHEN: Thu Nov  6 16:14:51 2008
;; MSG SIZE  rcvd: 386


>
>
> (Thanks to Gilles Massen of the ".lu" registry for the technical
> analysis.)
>
> This emphasizes several points:
>
> * DNSSEC requires much more professionalism,
>
> * DNSSEC allows you to shoot yourself in the foot quite easily.
>


Were people expecting DNSSEC to be a simple and easy solution?

--alain





More information about the afnog mailing list