DNSSEC authentication and ad parameter

Wed Jan 11 10:13:00 UTC 2012

Dear Marc,

Thanks for detailed explanation.

Now, I understand why I was not getting my “AD” flag set in query response.

I tried from google dns (8.8.8.8) also but didn’t get “AD” bit set. This may
be because 8.8.8.8 might not be configured for DLV validation.

Is there any open dns available from which I can check my domain for “AD”
flag set?????????????

Please don't print this e-mail until & unless you really need, it will save
Trees on Planet Earth. 

IPv4 is Over,

Are your ready for new Network.

Thanks n Regards, 
GAURAV KANSAL 
9910118448 
VoIP - 6259 
Operation And Routing Unit 
NIC , NEW DELHI 

From: Marc Lampo [mailto:marc.lampo at eurid.eu] 
Sent: Wednesday, January 11, 2012 12:52 PM
To: 'Gaurav kansal'; bind-users at lists.isc.org
Subject: RE: DNSSEC authentication and ad parameter

Hello,

The authoritative NS for nknsec.in. *does* give answers with corresponding
RRSIG’s !

$ dig @ns1.nknsec.in. test.nknsec.in. +dnssec +short

10.1.27.25

A 5 3 360 20120204072952 20120105072952 16755 test.nknsec.in.
DcLPb3hVDqal64UQe3Vk4NjbMRwSSWHNy4r/Bk42M2WQLZYBt9p7NpIT
6g1AVdP2vyFs2q4CbA/QLUMeVWptvHBNZcA8/M4DpW5GpsOmC3SeZe01
lCUzbANN/+NNg/PwHsPhLUOEatmjZxfrU3lGpxXFF527ohzxXatZdX48 lsM=

à there is an A record and a RRSIG over that A record

I hope you do not expect that (authoritative) NS to provide answers with
AD-bit set ?
Because it will not !

Name servers in the authoritative role for a domain will never set the
AD-bit;

they will provide DNSSEC data (NSEC(3), RRSIG, DNSKEY) allowing validating
caching and forwarding name servers

to perform validation.

Those validating name servers will set the AD-bit to indicate they performed
verification
and found everything OK.

Since, apparently, in .in you cannot get the DS information of your domain
published yet,
DLV is the only way to somehow establish a “chain-of-trust”.
That requires that validating clients must also be configured for DLV.
And my feeling is, with the growing number of top-level-domains getting
ready for DNSSEC,
there will be less and less demand for DLV (didn’t I see a message stating
end-of-life ?).

Hope this is somehow helpful –
if only to state that you should not expect AD-bit set from name servers in
the authoritative role.

Kind regards,

Marc Lampo

Security Officer

EURid (for .eu)

From: Gaurav kansal [mailto:gaurav.kansal at nic.in] 
Sent: 11 January 2012 06:16 AM
To: bind-users at lists.isc.org
Subject: DNSSEC authentication and ad parameter

Dear All,

I had purchased a new domain especially for DNSSEC testing.

But when I ask my registry to insert my DS keys in .in zone file, I got the
answer that .in is still not ready for this although .in is signed.

I tried to authenticate my domain through ISC dlv.

I upload my DS key there and it is showing a “GOOD” status for my domain but
still I am not getting “ad” parameter in my dig answer.

Anyone please explain what I have to do next so that I can give
authenticated answer for test.nknsec.in domain.

Zone List

 <https://dlv.isc.org/users/1632/zones/new> (add a zone)

Zone Name

Status

DNSKEYs

Zone Actions

test.nknsec.in

Good

1  <https://dlv.isc.org/zones/7129/dnskeys/new> (add)

 <https://dlv.isc.org/zones/7129> (details)
<https://dlv.isc.org/zones/7129> (delete)

Please don't print this e-mail until & unless you really need, it will save
Trees on Planet Earth. 

IPv4 is Over,

Are your ready for new Network.

Thanks n Regards, 
GAURAV KANSAL 
9910118448 
VoIP - 6259 
Operation And Routing Unit 
NIC , NEW DELHI 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120111/35eb3ea8/attachment.html>