[126451] in North American Network Operators' Group
Re: Root Zone DNSSEC Deployment Technical Status Update
daemon@ATHENA.MIT.EDU (Rubens Kuhl)
Sun May 16 14:53:10 2010
In-Reply-To: <AANLkTinvCTmInMwIknMYB_oiScNoTsLUMXo7C-8amADF@mail.gmail.com>
Date: Sun, 16 May 2010 15:52:54 -0300
From: Rubens Kuhl <rubensk@gmail.com>
To: itservices88 <itservices88@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
You probably need a trust anchor as well.
See http://ftp.isc.org/isc/pubs/tn/isc-tn-2006-1.html.
Rubens
On Sun, May 16, 2010 at 3:14 PM, itservices88 <itservices88@gmail.com> wrot=
e:
> Hi,
>
> I was building a test domain for trying out the dnssec. However as mentio=
ned
> on various websites "ad" appears in the flags, but i can't see it. The
> domain i am using is not real and i am testing from the same machine,
> Fedora-12. Any help?
>
> Thanks
>
>
> options {
> =A0 =A0 =A0 =A0dnssec-enable yes;
> =A0 =A0 =A0 =A0dnssec-validation yes;
> };
>
> [root@ns1 named-data]# dig +dnssec @localhost www
> ; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 <<>> +dnssec @localhost www
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16601
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 IN =A0 =A0 =A0A
> ;; AUTHORITY SECTION:
> . =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 5221 =A0 =A0IN =A0 =A0 =A0S=
OA =A0 =A0 a.root-servers.net.
> nstld.verisign-grs.com. 2010051600 1800 900 604800 86400
> . =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 5221 =A0 =A0IN =A0 =A0 =A0R=
RSIG =A0 SOA 8 0 86400 20100523070000
> 20100516060000 55138 .
> KTwve6TiQ6ShXCfEcbYusFWOCsx+IwCUumBr4GnwnNq1eqs7tqQaHqkJ
> T/ewcvjXvRGOmHjhGRgqkdESse+/fa+tz1sSdvMsTGGI2Ba9/Fbb43Ty
> eqsG5cFxbqfXOpwlA4ab9IR2Vkod6genONeYO6rrm2edNwQrf56wrtJr CNM=3D
> . =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 5221 =A0 =A0IN =A0 =A0 =A0R=
RSIG =A0 NSEC 8 0 86400
> 20100523070000 20100516060000 55138 .
> uIgAQvJUyLjAPwb7zB8wcJ4wk++21g+iF/bJGlpvz4iUJOMwkPgqA2s/
> A8W0MhxBjo7918xg6yJeqYwXB+rGG14F7UZfOBVlXIqno5/kXzi4Carh
> /8sulBMyHbFmVlOht5SLU230ROaI6+4o0B6IRyiP5Vzgjt00zyFu26Rg Yb8=3D
> . =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 5221 =A0 =A0IN =A0 =A0 =A0N=
SEC =A0 =A0ac. NS SOA RRSIG NSEC DNSKEY
> ws. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 5221 =A0 =A0IN =A0 =A0 =A0RRS=
IG =A0 NSEC 8 1 86400
> 20100523070000 20100516060000 55138 .
> KsvM0PTDqWt0yoJNZ4k1UGTw0UtJZxsZa17bDHAyY7w1eocZlCqGJNd8
> 2/WDeJMfCkM+MakJLblnixlI6QcNYV6ctrKZkNuA/iX2rwapouVYoC7G
> HxvBLnb5TFWkCML+fhgOWza8RmRnCTY593uBgsPtcgEfTZAzYB+QFCEP 6oI=3D
> ws. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 5221 =A0 =A0IN =A0 =A0 =A0NSE=
C =A0 =A0=E6=B5=E8=AF. NS RRSIG NSEC
> ;; Query time: 11 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sun May 16 11:02:43 2010
> ;; MSG SIZE =A0rcvd: 641
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> On Wed, May 5, 2010 at 2:23 PM, Joe Abley <joe.abley@icann.org> wrote:
>
>> Root Zone DNSSEC Deployment
>> Technical Status Update 2010-05-05
>>
>> This is the sixth of a series of technical status updates intended
>> to inform a technical audience on progress in signing the root zone
>> of the DNS.
>>
>>
>> ** =A0The final transition to a signed root zone took place today
>> ** =A0on J-Root, between 1700--1900 UTC.
>> **
>> ** =A0All root servers are now serving a signed root zone.
>> **
>> ** =A0All root servers will now generate larger responses to DNS
>> ** =A0queries that request DNSSEC information.
>> **
>> ** =A0If you experience technical problems or need to contact
>> ** =A0technical project staff, please send e-mail to rootsign@icann.org
>> ** =A0or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred
>> ** =A0if possible.
>> **
>> ** =A0See below for more details.
>>
>>
>> RESOURCES
>>
>> Details of the project, including documentation published to date,
>> can be found at <http://www.root-dnssec.org/>.
>>
>> We'd like to hear from you. If you have feedback for us, please
>> send it to rootsign@icann.org.
>>
>>
>> DEPLOYMENT STATUS
>>
>> The incremental deployment of DNSSEC in the Root Zone is being
>> carried out first by serving a Deliberately Unvalidatable Root Zone
>> (DURZ), and subsequently by a conventionally signed root zone.
>> Discussion of the approach can be found in the document "DNSSEC
>> Deployment for the Root Zone", as well as in the technical presentations
>> delivered at RIPE, NANOG, IETF and ICANN meetings.
>>
>> All of the thirteen root servers have now made the transition to
>> the to the DURZ. =A0No harmful effects have been identified.
>>
>> The final root server to make the transition, J-Root, started serving
>> the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05.
>>
>> Initial observations relating to this transition will be presented
>> and discussed at the DNS Working Group meeting at RIPE 60 in Prague
>> on 2010-05-06.
>>
>>
>> PLANNED DEPLOYMENT SCHEDULE
>>
>> Already completed:
>>
>> =A02010-01-27: L starts to serve DURZ
>>
>> =A02010-02-10: A starts to serve DURZ
>>
>> =A02010-03-03: M, I start to serve DURZ
>>
>> =A02010-03-24: D, K, E start to serve DURZ
>>
>> =A02010-04-14: B, H, C, G, F start to serve DURZ
>>
>> =A02010-05-05: J starts to serve DURZ
>>
>> To come:
>>
>> =A02010-07-01: Distribution of validatable, production, signed root
>> =A0 =A0zone; publication of root zone trust anchor
>>
>> =A0(Please note that this schedule is tentative and subject to change
>> =A0based on testing results or other unforeseen factors.)
>>
>>
>>
>
