DNSSEC authentication and ad parameter

Marc Lampo marc.lampo at eurid.eu
Wed Jan 11 07:22:27 UTC 2012 

Hello,



The authoritative NS for nknsec.in. *does* give answers with corresponding
RRSIG’s !

$ dig @ns1.nknsec.in. test.nknsec.in. +dnssec +short

10.1.27.25

A 5 3 360 20120204072952 20120105072952 16755 test.nknsec.in.
DcLPb3hVDqal64UQe3Vk4NjbMRwSSWHNy4r/Bk42M2WQLZYBt9p7NpIT
6g1AVdP2vyFs2q4CbA/QLUMeVWptvHBNZcA8/M4DpW5GpsOmC3SeZe01
lCUzbANN/+NNg/PwHsPhLUOEatmjZxfrU3lGpxXFF527ohzxXatZdX48 lsM=

à there is an A record and a RRSIG over that A record



I hope you do not expect that (authoritative) NS to provide answers with
AD-bit set ?
Because it will not !

Name servers in the authoritative role for a domain will never set the
AD-bit;

they will provide DNSSEC data (NSEC(3), RRSIG, DNSKEY) allowing validating
caching and forwarding name servers

to perform validation.

Those validating name servers will set the AD-bit to indicate they
performed verification
and found everything OK.



Since, apparently, in .in you cannot get the DS information of your domain
published yet,
DLV is the only way to somehow establish a “chain-of-trust”.
That requires that validating clients must also be configured for DLV.
And my feeling is, with the growing number of top-level-domains getting
ready for DNSSEC,
there will be less and less demand for DLV (didn’t I see a message stating
end-of-life ?).





Hope this is somehow helpful –
if only to state that you should not expect AD-bit set from name servers
in the authoritative role.





Kind regards,



Marc Lampo

Security Officer

EURid (for .eu)





From: Gaurav kansal [mailto:gaurav.kansal at nic.in]
Sent: 11 January 2012 06:16 AM
To: bind-users at lists.isc.org
Subject: DNSSEC authentication and ad parameter



Dear All,



I had purchased a new domain especially for DNSSEC testing.

But when I ask my registry to insert my DS keys in .in zone file, I got
the answer that .in is still not ready for this although .in is signed.



I tried to authenticate my domain through ISC dlv.

I upload my DS key there and it is showing a “GOOD” status for my domain
but still I am not getting “ad” parameter in my dig answer.



Anyone please explain what I have to do next so that I can give
authenticated answer for test.nknsec.in domain.


Zone List


 <https://dlv.isc.org/users/1632/zones/new> (add a zone)




Zone Name

Status

DNSKEYs

Zone Actions


test.nknsec.in

Good

1  <https://dlv.isc.org/zones/7129/dnskeys/new> (add)

 <https://dlv.isc.org/zones/7129> (details)
<https://dlv.isc.org/zones/7129> (delete)

Copyright © 2010 by Internet Systems Consortium.













Please don't print this e-mail until & unless you really need, it will
save Trees on Planet Earth.

IPv4 is Over,

Are your ready for new Network.


Thanks n Regards,
GAURAV KANSAL
9910118448
VoIP - 6259
Operation And Routing Unit
NIC , NEW DELHI



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120111/fda9cd03/attachment.html>

More information about the bind-users mailing list