Root Zone DNSSEC Deployment Technical Status Update
itservices88
itservices88 at gmail.com
Sun May 16 18:14:58 UTC 2010
Hi,
I was building a test domain for trying out the dnssec. However as mentioned
on various websites "ad" appears in the flags, but i can't see it. The
domain i am using is not real and i am testing from the same machine,
Fedora-12. Any help?
Thanks
options {
dnssec-enable yes;
dnssec-validation yes;
};
[root at ns1 named-data]# dig +dnssec @localhost www
; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 <<>> +dnssec @localhost www
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16601
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www. IN A
;; AUTHORITY SECTION:
. 5221 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2010051600 1800 900 604800 86400
. 5221 IN RRSIG SOA 8 0 86400 20100523070000
20100516060000 55138 .
KTwve6TiQ6ShXCfEcbYusFWOCsx+IwCUumBr4GnwnNq1eqs7tqQaHqkJ
T/ewcvjXvRGOmHjhGRgqkdESse+/fa+tz1sSdvMsTGGI2Ba9/Fbb43Ty
eqsG5cFxbqfXOpwlA4ab9IR2Vkod6genONeYO6rrm2edNwQrf56wrtJr CNM=
. 5221 IN RRSIG NSEC 8 0 86400
20100523070000 20100516060000 55138 .
uIgAQvJUyLjAPwb7zB8wcJ4wk++21g+iF/bJGlpvz4iUJOMwkPgqA2s/
A8W0MhxBjo7918xg6yJeqYwXB+rGG14F7UZfOBVlXIqno5/kXzi4Carh
/8sulBMyHbFmVlOht5SLU230ROaI6+4o0B6IRyiP5Vzgjt00zyFu26Rg Yb8=
. 5221 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY
ws. 5221 IN RRSIG NSEC 8 1 86400
20100523070000 20100516060000 55138 .
KsvM0PTDqWt0yoJNZ4k1UGTw0UtJZxsZa17bDHAyY7w1eocZlCqGJNd8
2/WDeJMfCkM+MakJLblnixlI6QcNYV6ctrKZkNuA/iX2rwapouVYoC7G
HxvBLnb5TFWkCML+fhgOWza8RmRnCTY593uBgsPtcgEfTZAzYB+QFCEP 6oI=
ws. 5221 IN NSEC æµè¯. NS RRSIG NSEC
;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun May 16 11:02:43 2010
;; MSG SIZE rcvd: 641
===============================================================
On Wed, May 5, 2010 at 2:23 PM, Joe Abley <joe.abley at icann.org> wrote:
> Root Zone DNSSEC Deployment
> Technical Status Update 2010-05-05
>
> This is the sixth of a series of technical status updates intended
> to inform a technical audience on progress in signing the root zone
> of the DNS.
>
>
> ** The final transition to a signed root zone took place today
> ** on J-Root, between 1700--1900 UTC.
> **
> ** All root servers are now serving a signed root zone.
> **
> ** All root servers will now generate larger responses to DNS
> ** queries that request DNSSEC information.
> **
> ** If you experience technical problems or need to contact
> ** technical project staff, please send e-mail to rootsign at icann.org
> ** or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred
> ** if possible.
> **
> ** See below for more details.
>
>
> RESOURCES
>
> Details of the project, including documentation published to date,
> can be found at <http://www.root-dnssec.org/>.
>
> We'd like to hear from you. If you have feedback for us, please
> send it to rootsign at icann.org.
>
>
> DEPLOYMENT STATUS
>
> The incremental deployment of DNSSEC in the Root Zone is being
> carried out first by serving a Deliberately Unvalidatable Root Zone
> (DURZ), and subsequently by a conventionally signed root zone.
> Discussion of the approach can be found in the document "DNSSEC
> Deployment for the Root Zone", as well as in the technical presentations
> delivered at RIPE, NANOG, IETF and ICANN meetings.
>
> All of the thirteen root servers have now made the transition to
> the to the DURZ. No harmful effects have been identified.
>
> The final root server to make the transition, J-Root, started serving
> the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05.
>
> Initial observations relating to this transition will be presented
> and discussed at the DNS Working Group meeting at RIPE 60 in Prague
> on 2010-05-06.
>
>
> PLANNED DEPLOYMENT SCHEDULE
>
> Already completed:
>
> 2010-01-27: L starts to serve DURZ
>
> 2010-02-10: A starts to serve DURZ
>
> 2010-03-03: M, I start to serve DURZ
>
> 2010-03-24: D, K, E start to serve DURZ
>
> 2010-04-14: B, H, C, G, F start to serve DURZ
>
> 2010-05-05: J starts to serve DURZ
>
> To come:
>
> 2010-07-01: Distribution of validatable, production, signed root
> zone; publication of root zone trust anchor
>
> (Please note that this schedule is tentative and subject to change
> based on testing results or other unforeseen factors.)
>
>
>
More information about the NANOG
mailing list