DNSSEC Status...
Mark Andrews
marka at isc.org
Tue Jun 1 23:34:07 UTC 2010
In message <573607.58516.qm at web114302.mail.gq1.yahoo.com>, Heavy Man writes:
> A few questions about DNSSEC...
>
> I understand the root zones are currently getting signed. Just for sanit=
> y sake, should I be able to DIG +dnssec a.gtld-servers.net and be able to s=
> ee a RRSIG record (assume I have a valid dnssec recursive name server with =
> a valid trust anchor configured). Check out the following...
Firstly it would be a.root-servers.net, not a.gtld-servers.net.
Secondly root-servers.net is not signed and doesn't need to be.
> Also, referense the following URL..
>
> https://ns.iana.org/dnssec/root.zone.signed
>
> I assume this data is correct. Is there a security risk publishing this =
> data? I understand DNS is public information but why wouldn't the root b=
> e signed using nsec3 versus nsec?
Because there is no benefit to signing with NSEC3.
* The entire zone is publicly available so you don't need the obscuration.
* The zone is so small that you don't need optout.
Also NSEC3 is more expensive to operationally. The authortative servers
need to do more work to serve the zone and validators need to do more
work to check the answers.
You don't use NSEC3 unless there is a real benefit to using it. If you
just have a http server and email don't go using NSEC3.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list