setting of a test root nameserver (with DNSSEC)

Michael Richardson mcr at sandelman.ottawa.on.ca
Fri Nov 1 03:09:23 UTC 2002 

-----BEGIN PGP SIGNED MESSAGE-----


I am in the process of setting up a series of User-Mode-Linux boxes
(virtual Linux boxes) to act as root DNSSEC servers for our testbench.

If you want to see things, grab:
   ftp://ftp.xs4all.nl/pub/crypto/freeswan/snapshot-2002oct31h.tar.gz

(or tomorrow, there will be another file there. We are supposed to have a
symlink, but I see that it went away)

The files are in testing/baseconfigs/{all,carrot,beet,nic,west}/etc/bind/
The files in "all" are copies to all machines, but not all used.

beet and carrot are the root name servers. 
You can see: http://www.sandelman.ottawa.on.ca/freeswan/diagrams/dns_hier.png

We are dealing with zones uml.freeswan.org, and 192.in-addr.arpa and subzones.

beet:~# dig . key
; <<>> DiG 9.3.0s20020722 <<>> . key

;; ANSWER SECTION:
.                       3600000 IN      KEY     256 3 1 AQOr2tzOGZzBbIbdEsp1ENtMtNniryEiobGUFjBDQoim9jBy1q7VUan2 hJ+60eIrM1oCF6jyF2fFrnOgYRnZ0zpj

;; AUTHORITY SECTION:
.                       3600000 IN      NS      beet.uml.freeswan.org.
.                       3600000 IN      NS      nic.uml.freeswan.org.

This seems to work fine on localhost.
As does "dig . ns"

On a client, which has:

named.conf:
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.hint";
};

trusted-keys {
       . 256 3 1 "AQOr2tzOGZzBbIbdEsp1ENtMtNniryEiobGUFjBDQoim9jBy1q7VUan2hJ+60e
IrM1oCF6jyF2fFrnOgYRnZ0zpj"; // key id = 54074
};

with:

west:/etc/bind# cat db.hint
;
$TTL    3600000
.                         3600000  IN  NS       beet.uml.freeswan.org.
beet.uml.freeswan.org.    3600000  IN   A     192.1.2.129

I get:

west:/etc/bind# dig . ns

; <<>> DiG 9.3.0s20020722 <<>> . ns
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36944
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;.                              IN      NS

;; Query time: 678 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov  1 03:02:34 2002
;; MSG SIZE  rcvd: 17

If I turn *off* DNSSEC by commenting out the "trusted-keys" line, then
I do get an answer. Am I doing something trivially stupid here?

Are there known problems with 9.3 snap20020722?
It is important that we resolve all our test bed stuff before we meet
in Atlanta, so that we can be sure our client is actually reacting properly.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPcHwYIqHRg3pndX9AQGpEAP+LF2g4ffwnGvZSaV/pcA+w9MUdjuBYFXC
Jz6DjBxZLEtRev56tIqIxrG3reuLEFE/2hYgjc5jjiNnGcUIJj8PMaJ/Kf6Bp8dw
15coH7UIvWyfnRIj7EhBUM0eGKUe8s5nmT34E3vvaDWboWXJqprPcAcoQtPal8l1
iPbWM/aMVr8=
=dqfA
-----END PGP SIGNATURE-----

More information about the bind-workers mailing list