[afnog] [AfrICANN-discuss] Re: [AfTLD-Discuss] .TZ DS records in root zone

Simon M. Balthazar sbalthazar at tznic.or.tz
Mon Feb 11 12:02:24 UTC 2013 

On 10/02/2013 15:28, Mark Elkins wrote:
> On Sun, 2013-02-10 at 13:45 +0300, Frank Habicht wrote:
>> On 2/9/2013 11:41 PM, Mark Elkins wrote:
>>> Questions, 
>>> doing any DNS/DNSSEC training?
>>> what does the ccTLD structure look like?
>>> I'm guessing..
>>>
>>> .tz - closed - except for exciting new second levels...
>>> .co.tz - Commercial
>>> .or.tz - Organisations
>> yes
> What does the 'yes' refer to?
>
>>> So how far down are signed domains available. I get no AD bit when
>>> looking up www.tznic.or.tz yet. Its just the 'tz' zone for now?
>> $ dig @ns-tz.afrinic.net. or.tz ds         # server has .tz zone, no SLDs
>> ...
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1    # has an answer
>>
>> $ dig @nic.co.tz. or.tz dnskey             # server has SLDs, not .tz
>> ...
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3    # has answers
>>
>> [i hope I did that right....]
>> [all answered on IP addresses with colons in them :-)]
> So I first found out what the Nameservers for '.tz' were..
>
> mjelap # dig tz ns
> ....
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 13
> ....
> ;; ANSWER SECTION:
> tz.			18000	IN	NS	d.ext.nic.cz.
> tz.			18000	IN	NS	ns.anycast.co.tz.
> tz.			18000	IN	NS	ns-tz.afrinic.net.
> tz.			18000	IN	NS	rip.psg.com.
> tz.			18000	IN	NS	sns-pb.isc.org.
> tz.			18000	IN	NS	ns2.tznic.or.tz.
>
> This is an authenticated answer (all my resolvers are DNSSEC aware) -
> the AD bit is set.
>
> So ask a 'tz' authoritative nameserver - I asked 'sns-pb.isc.org'
> because when I ask that machines IP - the isc.org' zone is DNSSEC
> signed.
>
> mjelap # dig @sns-pb.isc.org. or.tz ds
> ...
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 3
> ...
> ;; ANSWER SECTION:
> or.tz.			18000	IN	DS	19948 5 1 326700A5192ED49B63FD20BF0276D47C93F315ED
>
> So a DS record exists for OR.TZ in the TZ zone, but no AD bit set yet.
>
> More digging around shows RRSET's - but no AD bits..
>
> Work in progress - lets not rush people.

Hello Mark,

I thought I should take this off-list.

First and foremost, tznic.or.tz domain is not signed yet, but it will be
before end of this week. We already have a page www.tznic.or.tz/dnssec
which have information about DNSSEC to our registrars and registrants,
it also include our DPS. This page is not published yet pending
verification of contents, which is our standard procedure.

About training, yes, we have been conducting DNS and FRED training to
our registrars. We have also conducted some training outside Tanzania,
the recent one include the AFTLD training in Khartoum where I was the
only english speaking resource person. We also conducted a DNSSEC
training to ISPs and .zm registry in Zambia by invitation from ZICTA in
December 2012.

About the structure, what Frank meant was that YES your guess was right.
We are open for registration from third level. All our second level
domains are signed and their ds are in tz zone. You can bring the ds now
and your third level will have a complete chain of trust.

The last bit, where you say "its a work in progress": My knowledge of
DNSSEC says that validation is done on the recursive servers. You don't
get an AD bit when you query an authoritative server simply because they
don't do validation, they just hold the correct keys. This explains the
scenario why in BIND we put "dnssec-validation yes;" in recursive
servers only. AD bit comes with validation.

This is from my recursive server hence "ad bit":-

dig se ns +dnssec

; <<>> DiG 9.8.1-P1 <<>> se ns +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 864
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 33

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;se.                IN    NS

;; ANSWER SECTION:
se.            160498    IN    NS    f.ns.se.



This is from authoritative hence "no ad bit":-

dig @f.ns.se. se. ns +dnssec

; <<>> DiG 9.8.1-P1 <<>> @f.ns.se. se. ns +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50540
;; flags: qr aa rd; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;se.                IN    NS

;; ANSWER SECTION:
se.            172800    IN    NS    a.ns.se.
se.            172800    IN    NS    b.ns.se.



Simon.

More information about the afnog mailing list