Hi! Where can I find the list of signed domains and their open keys to set up my DNS resolver? Which zones are signed now (exept RIPE's ones)? -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
-----BEGIN PGP SIGNED MESSAGE----- * Max Tulyev wrote:
Where can I find the list of signed domains and their open keys to set up my DNS resolver? Which zones are signed now (exept RIPE's ones)?
$ host -t axfr dnssec.iks-jena.de. iks-jena.de has DNSKEY record 257 3 5 AQPRteOmx973cbeIMigT7nciz3dcbt8ssZPGOK2vtPQlEaZO2fKgnm1F o6FPWcGqKv6O1ZpjEw2upKVDnzwMCRHpGe0Qh2TawStviww/jxUtjoZo m9Hy6uIkTvo7TxqnWg55LoHlcsl1kxsF1PsM2Z88F1XhXSrUtkiQnViX bfzR0joDE8xGJ9zRNuzr9Jik+bcv4S4KFOE/Ocn4F5vF7+eojz9m3/u0 gvQdvgFsb7OHr9cYA5GeG++cJWGG6xFF+yWEDdWuu2A7IJM3EQFWLr0k GDS6oWo/5Bz4PlrURjU5wahM1iwLnbKXhQQempzPYnSEs1CW+KH73WjM a76Dna9B -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQCiAwUBQ/8T6pFeTizbCJMJAQGjbQRmPXIbHz++I1m8/amFHRjGTbpMzkob21ej SVBJC3ZB7MNDyt4f4ehF1LjCSbczl0ceThfw/o8CNDFXiWgZqNYFGZAOobuGZy/Q UlKW9f/g4+RZsrbxi9nQmEspRyxoSFh/6wq8SAWU29Y2itSIBmsW2h9cmFyyTA0y 2PgrbozRoLGQc7UlkE7bOcjjzbht =5mra -----END PGP SIGNATURE-----
On Feb 24, 2006, at 2:57 PM, Max Tulyev wrote:
Hi!
Where can I find the list of signed domains and their open keys to set up my DNS resolver? Which zones are signed now (exept RIPE's ones)?
Hello Max, There are not many of such lists. In fact I know of only one: http://www-x.antd.nist.gov/dnssec/ --Olaf ----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/
Hello Olaf! Thank you! So as I can understand, to fully inplement DNSSEC on my named's I have to get ALL keys for ALL signed zones and premanently trace all of them if it is not expired, isn't it?
On Feb 24, 2006, at 2:57 PM, Max Tulyev wrote:
Hi!
Where can I find the list of signed domains and their open keys to set up my DNS resolver? Which zones are signed now (exept RIPE's ones)?
Hello Max,
There are not many of such lists. In fact I know of only one: http://www-x.antd.nist.gov/dnssec/
--Olaf
----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/
-- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
* Max Tulyev wrote:
So as I can understand, to fully inplement DNSSEC on my named's I have to get ALL keys for ALL signed zones and premanently trace all of them if it is not expired, isn't it?
Your are mostly right. You do not need (and should not care about) the key of chained zones, i.e. zone, that have a DS record in the signed parent zone. In those cases you only need the key of the topmost signed zone. In order to keep the maintaining effort as small as possible, several TLD offer a seperate DNS-server which hosts signed subzones. Such servers are available for *.fr, *.net and *.com. The *.se zone is signed using the standard DNS servers. Another trick to delegate the maintaining work is to use a lookaside zone. There are two zones out there: dlv.verisignlab.com and dnssec.iks-jena.de. A lookaside zone is used by your DNS server to determine a "DS" record for an unknown zone. Consequently the lookaside zone does not contain records for chained zones. It's up to you. Good luck.
Another trick to delegate the maintaining work is to use a lookaside zone. There are two zones out there: dlv.verisignlab.com and dnssec.iks-jena.de. A lookaside zone is used by your DNS server to determine a "DS" record for an unknown zone. Consequently the lookaside zone does not contain records for chained zones.
It's like black magic :( localhost bind # ping dlv.verisignlab.com ping: unknown host dlv.verisignlab.com localhost bind # ping dnssec.iks-jena.de ping: unknown host dnssec.iks-jena.de -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
On Mon, 2006-02-27 at 14:30 +0300, Max Tulyev wrote:
Another trick to delegate the maintaining work is to use a lookaside zone. There are two zones out there: dlv.verisignlab.com and dnssec.iks-jena.de. A lookaside zone is used by your DNS server to determine a "DS" record for an unknown zone. Consequently the lookaside zone does not contain records for chained zones.
It's like black magic :(
localhost bind # ping dlv.verisignlab.com ping: unknown host dlv.verisignlab.com
try adding an 's'. The above is a very nice example of a domainsquatter (also something where neither dnssec or tls can't help as anyone can register any domain) $ dig -t any dlv.verisignlabs.com ;; Truncated, retrying in TCP mode. [..] dlv.verisignlabs.com. 86400 IN NS ns1.dlv.verisignlabs.com. dlv.verisignlabs.com. 3600 IN DNSKEY 256 3 5 AQOlH7LDa3Sy/rK +WyqydkS94p1hWWhEyTdZhxwuz/1zPGqh8pc8lXNj tOqcVXNSQX1XCSJPhW8XylXlq8gLlyRiVUs+TBoKrGYs7VARuLqZZDW4 Utu +VuDsTCjxjtAgxH15KfJbmnpMP3ffQvDHzyj8F2Dw6aaLHAwot3eI YWOy7w== [..]
localhost bind # ping dnssec.iks-jena.de ping: unknown host dnssec.iks-jena.de
Doesn't have an A record, but does have a large number of others. Use the 'dig'. Greets, Jeroen
Hi,
It's like black magic :(
localhost bind # ping dlv.verisignlab.com ping: unknown host dlv.verisignlab.com
I can't find any DNS records for that zone either.
localhost bind # ping dnssec.iks-jena.de ping: unknown host dnssec.iks-jena.de
But: you are looking only for A and/or AAAA records here. Those are not relevant for what you want to do with DNSSEC. Try "dig dnssec.iks-jena.de any" You will get something like: ; <<>> DiG 9.2.4 <<>> dnssec.iks-jena.de any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10861 ;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;dnssec.iks-jena.de. IN ANY ;; ANSWER SECTION: dnssec.iks-jena.de. 57512 IN TYPE48 \# 134 0100030501039E1F9DA1882F5054559A92916DACF8483B4F1A8B53D0 6C55FFD75C2DE4A008FB2C08D0B19BC89FA279DB7FFEA8ABF44C21AA 295DFCE9D8CD7829B544C216CF6530E2D43AE0EF5E9D80B2CB87669F 3455DC9C14952788CDF9AA6BD38805E99B0B8729E9F5E47D38E5874A 644499E68AAB0113EB59B1C10C5AD4693A25BC554841 dnssec.iks-jena.de. 57512 IN TYPE48 \# 262 010103050103B8161FFE486EC0A2F6DE05AA20FF6F6FE29C96E58889 34BEC1AB2840BEA12A8655222EB1A2A72E54B3EC1B5C9D1CE0637CBE 549CCB4015078CFEE2F0BFCFFB396652783CF737F07D5B5E21CF0691 717CE6A85421DA4B044924E7843DC3BC75F6AFA1E39CBDB5A95B3B9A 62ADC5D5DC514F9226FA2D58E62586C1D3D54F523106F0DEF2CB9EEB 14730DC5E28483CCBEE3A4AD07AA3B88F692F1FF1A48D0AB8DB14ACC 65FF427D8B6BC5AA559E43DEA3AD77259EB176C283B649ACA5EC677F 0646F4792BDD35B042589A5E30F05FEA2FD0D39A45E20A7589B226B6 F723447EE10CADE2A80CC94D86EBAD0F99D98206E42ED4F6C5937EBB 572C4635F40449982131 dnssec.iks-jena.de. 3512 IN TYPE47 \# 63 01320132013001320134013601330133013601360139013404653136 34046172706106646E7373656308696B732D6A656E61026465000007 22000000000380 dnssec.iks-jena.de. 3512 IN TYPE46 \# 294 003005030000E10045E84FA843D8F7A8A22D06646E7373656308696B 732D6A656E6102646500835A26CD1BD23C709CC56529F92E2F54193F 2A3EA60D4C85B3DD62A556BFD26B16C9068F60140004E5B1EFD41395 A63447DAAEE0CF52931E944E63B429F52788CE485467B78FE8AC7E27 8CFAE4F17C6F2F913FFA4A186CDAE70293D4BFAA8A292E9BA14163FA 409D4A1C594297981CDFB15E999EF94DFDE55DB22A200E87B1D6B3E8 F3FD83842CEF289F467FEC46F3E180AE36F4D2722BABBEE23E7578CD 11E3FDDF22528CDC830FDBF38D5B7CD45364B75C72ACFF76EB3FB887 8725853B5EA14809BA5E8CF9A30F805AC91D346FBD6679E615ABB417 7AE8256A6D0FC07E0E33BF2A88C84CA950C64B1A0BB6152DFC0D714B 95C07DE7262B73715CEF2BC3D3A7 dnssec.iks-jena.de. 3512 IN TYPE46 \# 166 000205030000E100441F2B7143F79E71037A06646E7373656308696B 732D6A656E610264650032EFE01FFBAE07CAC4B0E7F6E6E243705DF4 FC5BA0280090B06D3A92C3AA6D29FA2FEC3496E013CD61FA86FE6A11 B6020646C848023BEFD748E89B7D30E80C141B15800E922B7F0ADF0C 6FE4D6B8C027CF003293719F291FDC9616C4FD0CE229BC56D4BB2300 7CA3E8C9301051E91D51D1EDBC3D6CAD593516EBAE290E187335 dnssec.iks-jena.de. 3512 IN TYPE46 \# 166 000605030000E1004429BED7440231D7037A06646E7373656308696B 732D6A656E61026465009154AE475E2A83424BB38FDA4A5DF05D8177 7FBF7A2DFE165962E1A10335E3037262AE5963D6B4F3D4601552DAFF 47BA8979FB4958F62107CBBCDF46691C7C8F82E6BEA2046B22FE359E C417299C695D2A2837B040713BFBD6524F4E6841C3574375F7A0866E 1CEAFB4C27BF8968F87959D520EB9DD787611931495894744655 dnssec.iks-jena.de. 3512 IN TYPE46 \# 166 002F050300000E1044254CBC43FDBFBC037A06646E7373656308696B 732D6A656E61026465006015226113998270879DA328B98726891973 88D5347D6D29EB0B0CC51306BBDC2FD39F7385B17170AC6CA9B282C3 5E5380642CFD73CEDAE836B96F77322D878080D30F8F0E81C7C298B8 587118734C568778A3FA964A5ACDD6CC6EB920644A16E815A8FF7FE9 5F6635FB19E45EE5E6597DAAAD5A46B2C604335213A46B19E96C dnssec.iks-jena.de. 3512 IN TYPE46 \# 166 003005030000E100441F2B7143F79E71037A06646E7373656308696B 732D6A656E610264650058453B4AF3C6CC1CBA508C688C31DF5F759E BBA587A64A09F0F6B3A0232A72E737EFCB554C77DAA9532EBA3F43F6 F92AC3D8F23393E79AC3E90B806718B6B2F52C71DD5F2EB5BF67E618 8B89D1FAA7842D7762834F9AA507E140A173BA2E631FA8B496F76F5E 5B89606CCF735345B3CD282E83351C3F7E95A74ED71277345EAB dnssec.iks-jena.de. 57512 IN SOA avalon.iks-jena.de. hostmaster.iks-jena.de. 2006022702 10800 3600 3600000 3600 dnssec.iks-jena.de. 57512 IN NS avalon.iks-jena.de. ;; AUTHORITY SECTION: dnssec.iks-jena.de. 57512 IN NS avalon.iks-jena.de. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Feb 27 13:09:35 2006 ;; MSG SIZE rcvd: 1631 - Sander
Hi! So what exactly I should do with this?
But: you are looking only for A and/or AAAA records here. Those are not relevant for what you want to do with DNSSEC. Try "dig dnssec.iks-jena.de any"
-- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
* Max Tulyev wrote:
So what exactly I should do with this?
In your named.conf: options { ... dnssec-enable yes; dnssec-lookaside "." trust-anchor "dnssec.iks-jena.de"; }; trusted-keys { "iks-jena.de." 257 3 5 "AQPRteOmx973cbeIMigT7nciz3dcbt8ssZPGOK2vtPQl EaZO2fKgnm1Fo6FPWcGqKv6O1ZpjEw2upKVDnzwMCRHp Ge0Qh2TawStviww/jxUtjoZom9Hy6uIkTvo7TxqnWg55 LoHlcsl1kxsF1PsM2Z88F1XhXSrUtkiQnViXbfzR0joD E8xGJ9zRNuzr9Jik+bcv4S4KFOE/Ocn4F5vF7+eojz9m 3/u0gvQdvgFsb7OHr9cYA5GeG++cJWGG6xFF+yWEDdWu u2A7IJM3EQFWLr0kGDS6oWo/5Bz4PlrURjU5wahM1iwL nbKXhQQempzPYnSEs1CW+KH73WjMa76Dna9B"; }; What happens now? Image you query the A record for coruscant.dyn.niconet.se. coruscant.dyn.niconet.se. 38 IN A 213.114.39.13 coruscant.dyn.niconet.se. 38 IN RRSIG A 5 4 60 20070120160745 ( 20060119150745 651 dyn.niconet.se. F5vLlZAn5k/Mtaw6PSzkxTaTtHS8myV95eEOugY5lepf PJIiFbV5HiHZSDpoNXjAhzWzHY96+R0Wd7Qu2UUr3gDn Z/YXoHzLqC3lzRS9HSVx9HzzPixjt0/8ChhEK0QMUuhh lN8Xq90ayiUdtkK6jDM5CG27VjMbtr/de4475TSmBOut m+Jd/B+E8s+OzHTNXphAM0LgGjhS1IZcpMoQyfPbosbD K6VqD79nJdjzPZlmE2f0cFesELkJEHC1bcRA32W3BwI6 k+UB1T+yqf4TJj25BoTwfWVP/AEe4BHe1at44K6LDA2f bQc9ibWFGup/O8S8IkcNi76AiA2XVibcjA== ) coruscant.dyn.niconet.se. 38 IN RRSIG A 5 4 60 20070120160745 ( 20060119150745 65120 dyn.niconet.se. T+4KN4Ol3e6cPLy7ue4wSd9VwnCWYLxvOSljCtWnQxKp oCvrNjkkAV0j1AHHqI5nMK63mbyb+tUudq/3jFX5WhCl hCaSWFNH+LIB5982VixgodqCUKJrUTfB2bB33ZD320PO msa1H3bJ532Vf2BudACn40bNdjc87mW4sGwv9g7FzEJ0 yuEkem+fm0AAP2qKBXRkiTSJwo6I3LiwIWODJenAP8XZ odhk+PWipFQSNhnPRd3tYIKUYHIOOUMaEFECTdtyTsaM K8fIgE1AD6b6XjiQx9eDolIvDmSELc/K12L4qCWJbh84 burp6AXMm5TpzTCJMbXuc/xPZJIW7D2T/g== ) As you can see, it's signed! Let's check the signatures. First we need the key. From the RRSIG entries both keys resides in the the zone dyn.niconet.se. and has the key id 651 and 65120. So let's retrieve those DNSKEYs. dyn.niconet.se. 300 IN DNSKEY 256 3 5 ( AQOfq5czkMFmGPBCa8lXbM+yyNPfBQvn9Uomj3to07kz NegN4gqPdfXy2lIhYJ9JF1wQ7bvG2J3fo1Ysu9E2AIn3 hdesGyiAEGXO1PJqMYmts/1tXtE2HQ8LNa+omo90Ph2O 5cJN5YKDXdYJ1fZzfJrpza6VHmSeXrVQMsQYx8nO69ns rCtmMhopXp9I+Vvv9e7eG8/c4ji60AgigNGYro7GbUQQ 4YicoRL7USZiXEVWstzXXk+XQ+5IOny6+Q7rij7fdipM CZ41vvJ2N0ETMfzZuYR3AcaWVauOxITVnobVZaFfZ5Us 5Id2FSyW8A1AvDPLMJNZWM23VBhNmmESCnrn ) ; key id = 65120 dyn.niconet.se. 300 IN DNSKEY 257 3 5 ( AQPCeNlj/rDZis8yPN8GI2WXJpnoIF1iIiS4xCc8gAJM 77pmuVEalUqhGhjykMA0uSrWrQu0nBl0FvFCp0vL4T+4 ZLT7Ug7KOTJauiiEuxj7IGNhHh7az6Q0KXf8Y8i1pvvA PPWENZJqUgK1YMTJ6t/GTTGld4elhwz5a3vu2aAc2GpZ MAqa9idTC8o8x1A8w9e3B7fr2cMwiMnyk3Mk+2SLZAxU dk45S8gBuV0UEEUoU5viSkNOgxeaAprO7ORR/AJB/20V EiJ9FAsfnjTcqR57GS5NMeh/cIVm46xBwjEdighCTimn yBXmtwdj52hW843DK//9hO6gdEVn1Z84ezud ) ; key id = 651 dyn.niconet.se. 300 IN RRSIG DNSKEY 5 3 300 20061118080551 ( 20051118080551 651 dyn.niconet.se. cNbr1mwi0tCzPSGBdzQfWs7OjvgDIoKJNupf6Arnm4zX 5EpYDJO8v4XzM4QIrPTGHHEBBmjHYaCeRxbzh0sBf3MD ZnD3feNMAXdTFRY+J3fLsZFtfpH8duBNmU3YM13y7B9j ZT8mhLTkSPKTeecdNcSZpTy8UzRo/wYNpHnFzGafenwf HUNls0qE+m9eR4+l5m006NBuLymgmVnVBcvMXRmcI0gZ 0wSNeIGtC3WOggE0Aknf47JWH09nt9PogdJ+0Eh2sg7p Uf+wxfjLzbEiNjo3z+TdulUp6X774WnY+O0gaIMmxZmV POybUM49UJsCgVXPGs1vn2MosPXa/8Mj2A== ) dyn.niconet.se. 300 IN RRSIG DNSKEY 5 3 300 20061118080551 ( 20051118080551 65120 dyn.niconet.se. PXQs5HGRmC3N3NSQVxxKEMy7IyJKqkzBmGnfQB7CDOEq 9BYzxlrU5o4yWktSgaDVy0yDhJYFPW0DU0WHV29TUmCm aqV5oMvuj328vSb4MGPIQFR58J2R8aRgj3FyeBcOQYfR 6UfFyN4o/ZHy8PvcUOFWrPlnereTkfrArIq97o5NrojE RndF8v3h0kcdECJ/BgAvCFF4x4TnSHoIooMokfS86vmS hUuI5W7afCI9qjkrB+RWtCpuKaeUqstdM188BTxqNAqP acGhYICgpo2hmRfdhwAYmdlFjAaDD13hHn26pu/JLa0O 2bBUPEy4JKjKievm9MZz2eg9z5ClEtuSxA== ) There are two DNSKEYs and both are signed by each other. We can now check the signature but are still unable to verify the trustworthy of the used keys. So let's ask for chaining information from parent. dyn.niconet.se. 300 IN DS 651 5 1 ( 5AA71DA50AD09FA2857E4E695F4979056683F2BF ) dyn.niconet.se. 300 IN RRSIG DS 5 3 300 20070204110034 ( 20060204110034 32669 niconet.se. W0Dv73cO2I2DLMaDeUr0ROw1VuQ0/3ejrbH1PUDEVYzq nAy93TQY8hlOoz3vPEDXupsOq/H+bvi/94G4ovCHGfD8 FlkNJwKE6KTu+8QcLJ+8K/08FVJbz30zcCZliA74 ) This is a signed fingerprint for key 651. The signing key has id 32669 in zone niconet.se. Let's skip the dnskey query for niconet.se and ask the parent directly. niconet.se. 86094 IN DS 48132 5 1 ( 14C1848A3B17143389613853CF06EEA76BEBD43F ) niconet.se. 86094 IN RRSIG DS 5 2 86400 20060305195120 ( 20060227200552 17585 se. RoDfJvvofrW5JJVYaZFEzFD3AUcAiPeNNgxBeVDJkiVG J72SSIrDXI6wEwEiBE2JDiuyR6moduTB96O8CUlXflT8 8Llzdn1xAVM8p19lSwyJfxMIwDyXxeyi3XuSoRLdAhSV gDqAUn1CIFfZkOI9TvnLqmurvAhryQDabQ2SgCo= ) The signing key is 17585 in zone se. There is no signed fingerprint for the zone se on the root servers. So we have a secure entry point for with we have to check the trustworthyness. There are two possibilities: a) Find a different way to obtain the key directly from the se-maintainers. Install this key as "trusted-keys". b) Use a lookaside zone by querying for DLV from se.dnssec.iks-jena.de. se.dnssec.iks-jena.de. 57600 IN DLV 17686 5 1 ( 9E5E81A0B71A9B6B251077F700AA730E18D712EF ) se.dnssec.iks-jena.de. 57600 IN RRSIG DLV 5 4 57600 20060324223850 ( 20060222223850 890 dnssec.iks-jena.de. JShT4Nd3TS+nVLEWhm9pwpIiBncDXj3USKrwo8jLCfhD nHhyYEntZcg4UkSKLanhPVW83cVRGAnT/bYuT2qXct1B +k8DNPbaff0CNX0coSAim6CzJlf0ICOVM3GZELT2NtNw 9pd0lZ+289eUIhsvW8xEZ1oZLB0e6clde28BKqI= ) This is a signed fingerprint (same format as DS) for the key 17686 from se. It is signed by key 890 from dnssec.iks-jena.de. In turn this key is signed by 41517 from dnssec.iks-jena.de. which has a fingerprint signed by 52706 from iks-jena.de. In turn this key is signed by 30258 from iks-jena.de. And finally this very last key is marked as trustworthy by your local configuration. Have fun!
In order to keep the maintaining effort as small as possible, several TLD offer a seperate DNS-server which hosts signed subzones. Such servers are available for *.fr, *.net and *.com. The *.se zone is signed using the standard DNS servers.
So where I can get the keys? ;) I googled, but found nothing :(
Another trick to delegate the maintaining work is to use a lookaside zone. There are two zones out there: dlv.verisignlab.com and dnssec.iks-jena.de. A lookaside zone is used by your DNS server to determine a "DS" record for an unknown zone. Consequently the lookaside zone does not contain records for chained zones.
Understood, nice idea, thank you! -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
* Max Tulyev wrote:
In order to keep the maintaining effort as small as possible, several TLD offer a seperate DNS-server which hosts signed subzones. Such servers are available for *.fr, *.net and *.com. The *.se zone is signed using the standard DNS servers.
So where I can get the keys? ;) I googled, but found nothing :(
Start at the obvious point: http://www.dnssec.net/projects Strange enough, neither dnssec.net nor dnssec-deployment.org are signed.
Hello Olaf!
In fact, I can't find exactly the list. And there is nothing working here... DNSSEC Guide: not avaliable yet. All files to download: (example) The requested resource (/dnssec/download/anon_zones.tar.gz) is not available. and so on... -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
On Fri, 24 Feb 2006, Max Tulyev wrote:
Hi!
Where can I find the list of signed domains and their open keys to set up my DNS resolver? Which zones are signed now (exept RIPE's ones)?
.SE is signed as well, http://dnssec.nic.se/key.html -- patrik_wallstrom->foodfight->pawal@blipp.com->+46-733173956
participants (6)
-
Jeroen Massar -
Lutz Donnerhacke -
Max Tulyev -
Olaf M. Kolkman -
Patrik Wallstrom -
Sander Steffann