DNSSEC authentication and ad parameter
Gaurav kansal
gaurav.kansal at nic.in
Wed Jan 11 10:13:00 UTC 2012
Dear Marc,
Thanks for detailed explanation.
Now, I understand why I was not getting my AD flag set in query response.
I tried from google dns (8.8.8.8) also but didnt get AD bit set. This may
be because 8.8.8.8 might not be configured for DLV validation.
Is there any open dns available from which I can check my domain for AD
flag set?????????????
Please don't print this e-mail until & unless you really need, it will save
Trees on Planet Earth.
IPv4 is Over,
Are your ready for new Network.
Thanks n Regards,
GAURAV KANSAL
9910118448
VoIP - 6259
Operation And Routing Unit
NIC , NEW DELHI
From: Marc Lampo [mailto:marc.lampo at eurid.eu]
Sent: Wednesday, January 11, 2012 12:52 PM
To: 'Gaurav kansal'; bind-users at lists.isc.org
Subject: RE: DNSSEC authentication and ad parameter
Hello,
The authoritative NS for nknsec.in. *does* give answers with corresponding
RRSIGs !
$ dig @ns1.nknsec.in. test.nknsec.in. +dnssec +short
10.1.27.25
A 5 3 360 20120204072952 20120105072952 16755 test.nknsec.in.
DcLPb3hVDqal64UQe3Vk4NjbMRwSSWHNy4r/Bk42M2WQLZYBt9p7NpIT
6g1AVdP2vyFs2q4CbA/QLUMeVWptvHBNZcA8/M4DpW5GpsOmC3SeZe01
lCUzbANN/+NNg/PwHsPhLUOEatmjZxfrU3lGpxXFF527ohzxXatZdX48 lsM=
à there is an A record and a RRSIG over that A record
I hope you do not expect that (authoritative) NS to provide answers with
AD-bit set ?
Because it will not !
Name servers in the authoritative role for a domain will never set the
AD-bit;
they will provide DNSSEC data (NSEC(3), RRSIG, DNSKEY) allowing validating
caching and forwarding name servers
to perform validation.
Those validating name servers will set the AD-bit to indicate they performed
verification
and found everything OK.
Since, apparently, in .in you cannot get the DS information of your domain
published yet,
DLV is the only way to somehow establish a chain-of-trust.
That requires that validating clients must also be configured for DLV.
And my feeling is, with the growing number of top-level-domains getting
ready for DNSSEC,
there will be less and less demand for DLV (didnt I see a message stating
end-of-life ?).
Hope this is somehow helpful
if only to state that you should not expect AD-bit set from name servers in
the authoritative role.
Kind regards,
Marc Lampo
Security Officer
EURid (for .eu)
From: Gaurav kansal [mailto:gaurav.kansal at nic.in]
Sent: 11 January 2012 06:16 AM
To: bind-users at lists.isc.org
Subject: DNSSEC authentication and ad parameter
Dear All,
I had purchased a new domain especially for DNSSEC testing.
But when I ask my registry to insert my DS keys in .in zone file, I got the
answer that .in is still not ready for this although .in is signed.
I tried to authenticate my domain through ISC dlv.
I upload my DS key there and it is showing a GOOD status for my domain but
still I am not getting ad parameter in my dig answer.
Anyone please explain what I have to do next so that I can give
authenticated answer for test.nknsec.in domain.
Zone List
<https://dlv.isc.org/users/1632/zones/new> (add a zone)
Zone Name
Status
DNSKEYs
Zone Actions
test.nknsec.in
Good
1 <https://dlv.isc.org/zones/7129/dnskeys/new> (add)
<https://dlv.isc.org/zones/7129> (details)
<https://dlv.isc.org/zones/7129> (delete)
Copyright © 2010 by Internet Systems Consortium.
Please don't print this e-mail until & unless you really need, it will save
Trees on Planet Earth.
IPv4 is Over,
Are your ready for new Network.
Thanks n Regards,
GAURAV KANSAL
9910118448
VoIP - 6259
Operation And Routing Unit
NIC , NEW DELHI
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120111/35eb3ea8/attachment.html>
More information about the bind-users
mailing list