How to Setup DNSSEC

Mark Andrews marka at isc.org
Wed Oct 17 02:54:48 UTC 2012


In message <507E1C73.6050107 at riseup.net>, pangj writes:
> Hi,
> 
> $ dig +dnssec udp53.org soa
> 
> ; <<>> DiG 9.6.1-P2 <<>> +dnssec udp53.org soa
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37254
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;udp53.org.                     IN      SOA
> 
> ;; ANSWER SECTION:
> udp53.org.              3600    IN      SOA     blox.wetworks.org. 
> alan.clegg.com. 1259962123 86400 3600 2419200 300
> udp53.org.              3600    IN      RRSIG   SOA 8 2 3600 
> 20121030214830 20121016204830 48948 udp53.org. 
> eVftM2Iu4Q/pn0AVW3EXYricq2BagrleTAbQvAtbqOOj3UgSzQHwxR/i 
> 2zOTayebAx65K7mDql1qXaXUh7GAj1fmjKiaf1YR4QR1RHg2tV5dFEuP 
> j6bha3QD0YfxS8pPGywsNeLn+6BwM2FrSOKefvc1S/GAv6y9ei/gj8qG 94Y=
> 
> 
> from the result above, I didn't see a AD flag setted. why?

There is no DS for udp53.org so there is no secure trust chain.

> The nameserver in /etc/resolv.conf is 119.147.163.133 which is a 
> stardard BIND.
> $ dig txt chaos version.bind @119.147.163.133 +short
> "9.6.1-P2"
 
Upgrade.  BIND 9.6.1-P2 is seriously out of date and has known
security vulnerabilities.  The current release on the BIND 9.6 train
is 9.6-ESV-R8 which is about 12 maintainance releases futher on
than the code you are running.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list