dnssec dlv

itservices88 itservices88 at gmail.com
Fri May 21 15:33:12 UTC 2010 

I heard that root zone will be signed (or is already signed), so what
changes would be required with respect to the current additions of adding
dlv.isc.org as trust anchor and its associated trusted key ? Do we need to
keep the isc dlv ? or add a new key for the root ?

Thanks
-dani

On Thu, May 20, 2010 at 10:07 PM, itservices88 <itservices88 at gmail.com>wrote:

> I missed the trusted key .......... Thanks
>
> Here is the other output
>
>
> # dig +cd +dnssec dlv.isc.org dnskey @localhost
>
> ; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 <<>> +cd +dnssec dlv.isc.orgdnskey @localhost
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63788
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;dlv.isc.org.                   IN      DNSKEY
>
> ;; ANSWER SECTION:
> dlv.isc.org.            6752    IN      DNSKEY  256 3 5
> BEAAAAOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAaGPT+Q0kpiN+7
> GviFh+nIazoB8e2Yv7mupgqkmIjObdcbGstYpUltdECdNpNmBvASKB9S
> BdtGeRvXXpORi3Qyxb9kHGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBF tCibp/mkhw==
> dlv.isc.org.            6752    IN      DNSKEY  257 3 5
> BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
> dlv.isc.org.            6752    IN      RRSIG   DNSKEY 5 3 7200
> 20100620033002 20100521033002 19297 dlv.isc.org.
> eEHtGjgatqIgxeCCcXJrZpaS5KzlWHbL/uNL9oqd/KnQwyVsqdZKhVR2
> U9xcGmtu0GAUTdogSQvhzK92y1qF9FuLlmlBDc9pvLBCf5dc7kIJ61ey
> vOZi18iZIv9+MyoE2ex/KfAHdHZUp3TUzgen7iGxba/yt9/dcJE6iFhz
> Kk2FSxxG7PFgHRZZJl9aVxuPlNjCnm1gwnuvdKame73tZrlzAK3GBbTo
> IEE2QSKs47glxhF5/Xka4UqYZ7wSvuCPG/xFn67FXVOHFQvZjNBxWX3V
> H1jmoJhyLmpCI4JdwGBr7jwPDURDsL2iAUkfpPIuparlq6DwII3lzrqC gA1M6w==
> dlv.isc.org.            6752    IN      RRSIG   DNSKEY 5 3 7200
> 20100620033002 20100521033002 64263 dlv.isc.org.
> TbUCfqArddr/0K7NVhL+UNQuM2dDremcvzLbWz6odZzIwdC/MqHzzAj6
> rbgHT+uwGZ6t+4ec5Hts9VWh+BEyx5pi6lnhKJjwcFwrXiBauppce11P
> uWG3AiJZeiYoCWu2E4CqhpW96ZrycRQYehWfsmDsR1BCglVytxJwYUhT WMg=
>
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu May 20 21:52:59 2010
> ;; MSG SIZE  rcvd: 936
>
>
>   On Thu, May 20, 2010 at 6:45 PM, Mark Andrews <marka at isc.org> wrote:
>
>>
>> In message <AANLkTikyZnh9_CGPb2EFYE_-yuU4N3bs75Fwzp-jZQRz at mail.gmail.com>,
>> itse
>>  rvices88 writes:
>> > Hi,
>> >
>> > Whenever i enable:
>> >
>> > dnssec-lookaside "." trust-anchor "DLV.ISC.ORG <http://dlv.isc.org/>";
>> >
>> > in the named.conf, restart bind, the dns resolution stops. One the same
>> FC12
>> > machine, dig using an outside dns server has no issues resolving with
>> > +dnssec option. I am using bind 9.6.2 that came with FC12.
>> >
>> > Any thoughts ?
>> >
>> > -dani
>>
>> Have you added the trusted-keys clause for dlv.isc.org?
>>
>> trusted-keys {
>>        dlv.isc.org. 257 3 5
>> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";
>> };
>>
>> Does "dig +cd +dnssec dlv.isc.org dnskey" return RRSIGS.
>>
>> e.g.
>> ; <<>> DiG 9.3.6-P1 <<>> +cd +dnssec dlv.isc.org dnskey
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14675
>> ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;dlv.isc.org.                   IN      DNSKEY
>>
>> ;; ANSWER SECTION:
>> dlv.isc.org.            2077    IN      DNSKEY  256 3 5
>> BEAAAAOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAaGPT+Q0kpiN+7
>> GviFh+nIazoB8e2Yv7mupgqkmIjObdcbGstYpUltdECdNpNmBvASKB9S
>> BdtGeRvXXpORi3Qyxb9kHGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBF tCibp/mkhw==
>> dlv.isc.org.            2077    IN      DNSKEY  257 3 5
>> BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
>> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
>> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
>> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
>> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
>> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
>> dlv.isc.org.            2077    IN      RRSIG   DNSKEY 5 3 7200
>> 20100619164502 20100520164502 19297 dlv.isc.org.
>> OKURcBkX5iiDC1q87HsSs2xDcDrMm5aPAlYHkPqkHCy7UyTOnCr6cwwN
>> W42mdG4nmpURR4aDGiPlfc1lomE5kA5wOcXASgfMO8eQoOOIyZcBngOb
>> WaE0KY+e/xU37kf7Ms7g6UxTnL+hcjbYgZf2rwN7J1RXf0Z5PfyyASXi
>> ybf3iYGs7GusXgLZ0ZEWQh0zglo2ym56CVt2TbIljJFB0lzAvezos36R
>> SWAYfLLsfGp3v9WfG7e3D8nLvbq5D7+K3IciELr73TVly924uwfAQeEa
>> df40dVR6qyQ++/HWaGr1wOIGLQBRzTX8gKK9RlmcHHcIZo0EFPJo0mf7 Abqpxw==
>> dlv.isc.org.            2077    IN      RRSIG   DNSKEY 5 3 7200
>> 20100619164502 20100520164502 64263 dlv.isc.org.
>> LZd6TanU48C2BNKZhuj4vMyquNE9mnbUmk9Zy+NbIKPmJ+h2uLq2EonO
>> GfUkxku7ZPky9DnJ3O05gwcEbVrFDjqtK+hcweu7x+wu0OaXJNsVRJ69
>> wQpQEkVNgoPNYsHQ6ru65ZwmOm8yRvr/1lXhbJId6j0Y2QZVXvCzVGuA 58Q=
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Fri May 21 11:45:00 2010
>> ;; MSG SIZE  rcvd: 936
>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100521/179a35a6/attachment.html>

More information about the bind-users mailing list