DNSSEC authentication and ad parameter
Mark Elkins
mje at posix.co.za
Wed Jan 11 07:04:09 UTC 2012
It is working.
------------------------------------------
$ dig test.nknsec.in +dnssec
; <<>> DiG 9.8.1 <<>> test.nknsec.in +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4578
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;test.nknsec.in. IN A
;; ANSWER SECTION:
test.nknsec.in. 352 IN A 10.1.27.25
test.nknsec.in. 352 IN RRSIG A 5 3 360 20120204072952 20120105072952
16755 test.nknsec.in.
DcLPb3hVDqal64UQe3Vk4NjbMRwSSWHNy4r/Bk42M2WQLZYBt9p7NpIT
6g1AVdP2vyFs2q4CbA/QLUMeVWptvHBNZcA8/M4DpW5GpsOmC3SeZe01
lCUzbANN/+NNg/PwHsPhLUOEatmjZxfrU3lGpxXFF527ohzxXatZdX48 lsM=
;; AUTHORITY SECTION:
test.nknsec.in. 349 IN NS ns1.nknsec.in.
test.nknsec.in. 349 IN RRSIG NS 5 3 360 20120204072952 20120105072952
16755 test.nknsec.in. ZOVyGZh6gPB7zT9ZniOy/+NQ
+fwP00b4KagDQ1F9kCwiNjGrSxjmGQQg
VD7R8LM6R4di1BBg8ayWtLQi7dVQdhmB942zy4BH/IYSMkWOf+WtILlx
YAD64F1NoJ4GXKRH7t01fYQRMoOtr2Teuok0KdUctAQNYBOjw280RwkY h9Y=
;; Query time: 3 msec
;; SERVER: 160.124.48.16#53(160.124.48.16)
;; WHEN: Wed Jan 11 08:46:34 2012
;; MSG SIZE rcvd: 425
-----------------------------------------
You need a recursive resolver set up to do DNSSEC, including 'lookaside'
for the DLV checking. You CAN NOT just use one of the nameservers that
the domain uses. You need to ask that resolver. The resolver handling
the zone (ns1.nknsec.in) will not set the 'ad' bit (assumption being
there is no special configurations like views or multiple resolvers -
etc) when directly asked.
I wrote a guide on how to do this - http://dnssec.co.za/ - some time
ago. It should be still valid. On the Linux Gentoo distribution, BIND is
almost installed like this by default - except for the 'dlv' portion. I
expect other distributions are similar?
I'll ignore issues like there is only one NS record for this and the
parent (nknsec.in) - ".IN" allows this ????
You should also be able to make the zone at the 'nknsec.in' level secure
from that point onwards as well.
On Wed, 2012-01-11 at 10:45 +0530, Gaurav kansal wrote:
> Dear All,
>
>
>
> I had purchased a new domain especially for DNSSEC testing.
>
> But when I ask my registry to insert my DS keys in .in zone file, I
> got the answer that .in is still not ready for this although .in is
> signed.
>
>
>
> I tried to authenticate my domain through ISC dlv.
>
> I upload my DS key there and it is showing a “GOOD” status for my
> domain but still I am not getting “ad” parameter in my dig answer.
>
>
>
> Anyone please explain what I have to do next so that I can give
> authenticated answer for test.nknsec.in domain.
>
>
> Zone List
> (add a zone)
>
>
>
> Zone Name
>
>
> Status
>
>
> DNSKEYs
>
>
> Zone Actions
>
>
> test.nknsec.in
>
>
> Good
>
>
> 1 (add)
>
>
> (details) (delete)
>
>
>
> Copyright © 2010 by Internet Systems Consortium.
>
>
>
>
>
>
>
>
>
>
>
>
>
> Please don't print this e-mail until & unless you really need, it will
> save Trees on Planet Earth.
>
>
>
> IPv4 is Over,
>
> Are your ready for new Network.
>
>
> Thanks n Regards,
> GAURAV KANSAL
> 9910118448
> VoIP - 6259
> Operation And Routing Unit
> NIC , NEW DELHI
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120111/8928d893/attachment.bin>
More information about the bind-users
mailing list