Validating zones as a slave? (Fw: [DNSOP] I-D Action: draft-ietf-dnsop-root-loopback-04.txt)
Evan Hunt
each at isc.org
Tue Sep 15 16:24:47 UTC 2015
On Tue, Sep 15, 2015 at 06:37:30AM +0000, Shane Kerr wrote:
> If you were to download the root file by hand then you could check the
> DNSSEC signatures on it before loading it. For example, you could use
> ldns-verify-zone or jdnssec-verify (I don't know of a utility that
> ships with BIND 9).
dnssec-verify:
$ dig @f.root-servers.net axfr . > rootzone.db
$ bin/dnssec/dnssec-verify -o . rootzone.db
Loading zone '.' from file 'rootzone.db'
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
You can also transfer the zone into one view and validate
it from another; this is the approach recommended in
https://tools.ietf.org/html/draft-wkumari-dnsop-root-loopback-02.
(It has other benefits as well; you don't get spurious AA bits
in your client responses.)
Zone transfers always run over TCP and are almost always TSIG-signed,
so they're fairly difficult to spoof in general. In this one
particular use case, where you're locally slaving the root zone,
there's no TSIG, so a DNSSEC verification step after the transfer
could make some sense. But, there being other ways to accomplish
the same goal, it's probably not going to be a priority.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-workers
mailing list