nanog mailing list archives
Re: Root Zone DNSSEC Deployment Technical Status Update
From: Rubens Kuhl <rubensk () gmail com>
Date: Sun, 16 May 2010 15:52:54 -0300
You probably need a trust anchor as well. See http://ftp.isc.org/isc/pubs/tn/isc-tn-2006-1.html. Rubens On Sun, May 16, 2010 at 3:14 PM, itservices88 <itservices88 () gmail com> wrote:
Hi, I was building a test domain for trying out the dnssec. However as mentioned on various websites "ad" appears in the flags, but i can't see it. The domain i am using is not real and i am testing from the same machine, Fedora-12. Any help? Thanks options { dnssec-enable yes; dnssec-validation yes; }; [root@ns1 named-data]# dig +dnssec @localhost www ; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 <<>> +dnssec @localhost www ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16601 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www. IN A ;; AUTHORITY SECTION: . 5221 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010051600 1800 900 604800 86400 . 5221 IN RRSIG SOA 8 0 86400 20100523070000 20100516060000 55138 . KTwve6TiQ6ShXCfEcbYusFWOCsx+IwCUumBr4GnwnNq1eqs7tqQaHqkJ T/ewcvjXvRGOmHjhGRgqkdESse+/fa+tz1sSdvMsTGGI2Ba9/Fbb43Ty eqsG5cFxbqfXOpwlA4ab9IR2Vkod6genONeYO6rrm2edNwQrf56wrtJr CNM= . 5221 IN RRSIG NSEC 8 0 86400 20100523070000 20100516060000 55138 . uIgAQvJUyLjAPwb7zB8wcJ4wk++21g+iF/bJGlpvz4iUJOMwkPgqA2s/ A8W0MhxBjo7918xg6yJeqYwXB+rGG14F7UZfOBVlXIqno5/kXzi4Carh /8sulBMyHbFmVlOht5SLU230ROaI6+4o0B6IRyiP5Vzgjt00zyFu26Rg Yb8= . 5221 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY ws. 5221 IN RRSIG NSEC 8 1 86400 20100523070000 20100516060000 55138 . KsvM0PTDqWt0yoJNZ4k1UGTw0UtJZxsZa17bDHAyY7w1eocZlCqGJNd8 2/WDeJMfCkM+MakJLblnixlI6QcNYV6ctrKZkNuA/iX2rwapouVYoC7G HxvBLnb5TFWkCML+fhgOWza8RmRnCTY593uBgsPtcgEfTZAzYB+QFCEP 6oI= ws. 5221 IN NSEC æµè¯. NS RRSIG NSEC ;; Query time: 11 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun May 16 11:02:43 2010 ;; MSG SIZE rcvd: 641 =============================================================== On Wed, May 5, 2010 at 2:23 PM, Joe Abley <joe.abley () icann org> wrote:Root Zone DNSSEC Deployment Technical Status Update 2010-05-05 This is the sixth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS. ** The final transition to a signed root zone took place today ** on J-Root, between 1700--1900 UTC. ** ** All root servers are now serving a signed root zone. ** ** All root servers will now generate larger responses to DNS ** queries that request DNSSEC information. ** ** If you experience technical problems or need to contact ** technical project staff, please send e-mail to rootsign () icann org ** or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred ** if possible. ** ** See below for more details. RESOURCES Details of the project, including documentation published to date, can be found at <http://www.root-dnssec.org/>. We'd like to hear from you. If you have feedback for us, please send it to rootsign () icann org. DEPLOYMENT STATUS The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document "DNSSEC Deployment for the Root Zone", as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings. All of the thirteen root servers have now made the transition to the to the DURZ. No harmful effects have been identified. The final root server to make the transition, J-Root, started serving the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05. Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at RIPE 60 in Prague on 2010-05-06. PLANNED DEPLOYMENT SCHEDULE Already completed: 2010-01-27: L starts to serve DURZ 2010-02-10: A starts to serve DURZ 2010-03-03: M, I start to serve DURZ 2010-03-24: D, K, E start to serve DURZ 2010-04-14: B, H, C, G, F start to serve DURZ 2010-05-05: J starts to serve DURZ To come: 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor (Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
Current thread:
- Root Zone DNSSEC Deployment Technical Status Update Joe Abley (May 03)
- <Possible follow-ups>
- Root Zone DNSSEC Deployment Technical Status Update Joe Abley (May 05)
- Re: Root Zone DNSSEC Deployment Technical Status Update itservices88 (May 16)
- Re: Root Zone DNSSEC Deployment Technical Status Update Rubens Kuhl (May 16)
- Re: Root Zone DNSSEC Deployment Technical Status Update itservices88 (May 16)
- Re: Root Zone DNSSEC Deployment Technical Status Update itservices88 (May 20)
- Re: Root Zone DNSSEC Deployment Technical Status Update Valdis . Kletnieks (May 20)
- Re: Root Zone DNSSEC Deployment Technical Status Update itservices88 (May 20)
- Re: Root Zone DNSSEC Deployment Technical Status Update Joe Abley (May 20)
- Re: Root Zone DNSSEC Deployment Technical Status Update itservices88 (May 20)
- Re: Root Zone DNSSEC Deployment Technical Status Update Valdis . Kletnieks (May 20)
- Re: Root Zone DNSSEC Deployment Technical Status Update Steven G. Huter (May 20)
- Re: Root Zone DNSSEC Deployment Technical Status Update itservices88 (May 16)