[dns-wg] DNSSEC: Signed zones list

On Mon, 2006-02-27 at 14:30 +0300, Max Tulyev wrote:
> > Another trick to delegate the maintaining work is to use a lookaside zone.
> > There are two zones out there: dlv.verisignlab.com and dnssec.iks-jena.de.
> > A lookaside zone is used by your DNS server to determine a "DS" record for
> > an unknown zone. Consequently the lookaside zone does not contain records
> > for chained zones.
> 
> It's like black magic :(
> 
> localhost bind # ping dlv.verisignlab.com
> ping: unknown host dlv.verisignlab.com

try adding an 's'. The above is a very nice example of a domainsquatter
(also something where neither dnssec or tls can't help as anyone can
register any domain)

$ dig -t any dlv.verisignlabs.com
;; Truncated, retrying in TCP mode.
[..]
dlv.verisignlabs.com.	86400	IN	NS	ns1.dlv.verisignlabs.com.
dlv.verisignlabs.com.	3600	IN	DNSKEY	256 3 5 AQOlH7LDa3Sy/rK
+WyqydkS94p1hWWhEyTdZhxwuz/1zPGqh8pc8lXNj
tOqcVXNSQX1XCSJPhW8XylXlq8gLlyRiVUs+TBoKrGYs7VARuLqZZDW4 Utu
+VuDsTCjxjtAgxH15KfJbmnpMP3ffQvDHzyj8F2Dw6aaLHAwot3eI YWOy7w==
[..]

> localhost bind # ping dnssec.iks-jena.de
> ping: unknown host dnssec.iks-jena.de

Doesn't have an A record, but does have a large number of others.

Use the 'dig'.

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 240 bytes
Desc: This is a digitally signed message part
URL: </ripe/mail/archives/dns-wg/attachments/20060227/05f3b13c/attachment.sig>