[afnog] [AfTLD-Discuss] .TZ DS records in root zone

Mark Elkins mje at posix.co.za
Sun Feb 10 12:28:36 UTC 2013 

On Sun, 2013-02-10 at 13:45 +0300, Frank Habicht wrote:
> On 2/9/2013 11:41 PM, Mark Elkins wrote:
> > Questions, 
> > doing any DNS/DNSSEC training?
> > what does the ccTLD structure look like?
> > I'm guessing..
> > 
> > .tz - closed - except for exciting new second levels...
> > .co.tz - Commercial
> > .or.tz - Organisations
> 
> yes

What does the 'yes' refer to?

> > So how far down are signed domains available. I get no AD bit when
> > looking up www.tznic.or.tz yet. Its just the 'tz' zone for now?
> 
> $ dig @ns-tz.afrinic.net. or.tz ds         # server has .tz zone, no SLDs
> ...
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1    # has an answer
> 
> $ dig @nic.co.tz. or.tz dnskey             # server has SLDs, not .tz
> ...
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3    # has answers
> 
> [i hope I did that right....]
> [all answered on IP addresses with colons in them :-)]

So I first found out what the Nameservers for '.tz' were..

mjelap # dig tz ns
....
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 13
....
;; ANSWER SECTION:
tz.			18000	IN	NS	d.ext.nic.cz.
tz.			18000	IN	NS	ns.anycast.co.tz.
tz.			18000	IN	NS	ns-tz.afrinic.net.
tz.			18000	IN	NS	rip.psg.com.
tz.			18000	IN	NS	sns-pb.isc.org.
tz.			18000	IN	NS	ns2.tznic.or.tz.

This is an authenticated answer (all my resolvers are DNSSEC aware) -
the AD bit is set.

So ask a 'tz' authoritative nameserver - I asked 'sns-pb.isc.org'
because when I ask that machines IP - the isc.org' zone is DNSSEC
signed.

mjelap # dig @sns-pb.isc.org. or.tz ds
...
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 3
...
;; ANSWER SECTION:
or.tz.			18000	IN	DS	19948 5 1 326700A5192ED49B63FD20BF0276D47C93F315ED

So a DS record exists for OR.TZ in the TZ zone, but no AD bit set yet.

More digging around shows RRSET's - but no AD bits..

Work in progress - lets not rush people.


> 
> > I'll be asking later, can I get a TZ based zone such as
> > 'dnssec.co.tz/dnssec.or.tz' (which would be similar to
> > 'dnssec.co.za/dnssec.na') and pass you the appropriate DS record from my
> > side? Take a look at 'www.dnssec.co.za'.
> 
> That will probably cost you around TZS 25,000    ;-)
> 
> Frank
> 

-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6147 bytes
Desc: not available
URL: <http://afnog.org/pipermail/afnog/attachments/20130210/916c230d/attachment.bin>

More information about the afnog mailing list