How to Setup DNSSEC
Mark Andrews
marka at isc.org
Wed Oct 17 02:54:48 UTC 2012
In message <507E1C73.6050107 at riseup.net>, pangj writes:
> Hi,
>
> $ dig +dnssec udp53.org soa
>
> ; <<>> DiG 9.6.1-P2 <<>> +dnssec udp53.org soa
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37254
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;udp53.org. IN SOA
>
> ;; ANSWER SECTION:
> udp53.org. 3600 IN SOA blox.wetworks.org.
> alan.clegg.com. 1259962123 86400 3600 2419200 300
> udp53.org. 3600 IN RRSIG SOA 8 2 3600
> 20121030214830 20121016204830 48948 udp53.org.
> eVftM2Iu4Q/pn0AVW3EXYricq2BagrleTAbQvAtbqOOj3UgSzQHwxR/i
> 2zOTayebAx65K7mDql1qXaXUh7GAj1fmjKiaf1YR4QR1RHg2tV5dFEuP
> j6bha3QD0YfxS8pPGywsNeLn+6BwM2FrSOKefvc1S/GAv6y9ei/gj8qG 94Y=
>
>
> from the result above, I didn't see a AD flag setted. why?
There is no DS for udp53.org so there is no secure trust chain.
> The nameserver in /etc/resolv.conf is 119.147.163.133 which is a
> stardard BIND.
> $ dig txt chaos version.bind @119.147.163.133 +short
> "9.6.1-P2"
Upgrade. BIND 9.6.1-P2 is seriously out of date and has known
security vulnerabilities. The current release on the BIND 9.6 train
is 9.6-ESV-R8 which is about 12 maintainance releases futher on
than the code you are running.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list