[dns-wg] DNSSEC: Signed zones list

* Max Tulyev wrote:
> So what exactly I should do with this?

In your named.conf:
  options {
    ...
    dnssec-enable yes;
    dnssec-lookaside "." trust-anchor "dnssec.iks-jena.de";
  };
  
  trusted-keys {
    "iks-jena.de." 257 3 5 "AQPRteOmx973cbeIMigT7nciz3dcbt8ssZPGOK2vtPQl
			    EaZO2fKgnm1Fo6FPWcGqKv6O1ZpjEw2upKVDnzwMCRHp
			    Ge0Qh2TawStviww/jxUtjoZom9Hy6uIkTvo7TxqnWg55
			    LoHlcsl1kxsF1PsM2Z88F1XhXSrUtkiQnViXbfzR0joD
			    E8xGJ9zRNuzr9Jik+bcv4S4KFOE/Ocn4F5vF7+eojz9m
			    3/u0gvQdvgFsb7OHr9cYA5GeG++cJWGG6xFF+yWEDdWu
			    u2A7IJM3EQFWLr0kGDS6oWo/5Bz4PlrURjU5wahM1iwL
			    nbKXhQQempzPYnSEs1CW+KH73WjMa76Dna9B";
  };

What happens now?

Image you query the A record for coruscant.dyn.niconet.se.

coruscant.dyn.niconet.se. 38 IN	A 213.114.39.13
coruscant.dyn.niconet.se. 38 IN	RRSIG A 5 4 60 20070120160745 (
				20060119150745 651 dyn.niconet.se.
				F5vLlZAn5k/Mtaw6PSzkxTaTtHS8myV95eEOugY5lepf
				PJIiFbV5HiHZSDpoNXjAhzWzHY96+R0Wd7Qu2UUr3gDn
				Z/YXoHzLqC3lzRS9HSVx9HzzPixjt0/8ChhEK0QMUuhh
				lN8Xq90ayiUdtkK6jDM5CG27VjMbtr/de4475TSmBOut
				m+Jd/B+E8s+OzHTNXphAM0LgGjhS1IZcpMoQyfPbosbD
				K6VqD79nJdjzPZlmE2f0cFesELkJEHC1bcRA32W3BwI6
				k+UB1T+yqf4TJj25BoTwfWVP/AEe4BHe1at44K6LDA2f
				bQc9ibWFGup/O8S8IkcNi76AiA2XVibcjA== )
coruscant.dyn.niconet.se. 38 IN	RRSIG A 5 4 60 20070120160745 (
				20060119150745 65120 dyn.niconet.se.
				T+4KN4Ol3e6cPLy7ue4wSd9VwnCWYLxvOSljCtWnQxKp
				oCvrNjkkAV0j1AHHqI5nMK63mbyb+tUudq/3jFX5WhCl
				hCaSWFNH+LIB5982VixgodqCUKJrUTfB2bB33ZD320PO
				msa1H3bJ532Vf2BudACn40bNdjc87mW4sGwv9g7FzEJ0
				yuEkem+fm0AAP2qKBXRkiTSJwo6I3LiwIWODJenAP8XZ
				odhk+PWipFQSNhnPRd3tYIKUYHIOOUMaEFECTdtyTsaM
				K8fIgE1AD6b6XjiQx9eDolIvDmSELc/K12L4qCWJbh84
				burp6AXMm5TpzTCJMbXuc/xPZJIW7D2T/g== )

As you can see, it's signed! Let's check the signatures.

First we need the key. From the RRSIG entries both keys resides in the the
zone dyn.niconet.se. and has the key id 651 and 65120.
So let's retrieve those DNSKEYs.

dyn.niconet.se.		300 IN DNSKEY 256 3 5 (
				AQOfq5czkMFmGPBCa8lXbM+yyNPfBQvn9Uomj3to07kz
				NegN4gqPdfXy2lIhYJ9JF1wQ7bvG2J3fo1Ysu9E2AIn3
				hdesGyiAEGXO1PJqMYmts/1tXtE2HQ8LNa+omo90Ph2O
				5cJN5YKDXdYJ1fZzfJrpza6VHmSeXrVQMsQYx8nO69ns
				rCtmMhopXp9I+Vvv9e7eG8/c4ji60AgigNGYro7GbUQQ
				4YicoRL7USZiXEVWstzXXk+XQ+5IOny6+Q7rij7fdipM
				CZ41vvJ2N0ETMfzZuYR3AcaWVauOxITVnobVZaFfZ5Us
				5Id2FSyW8A1AvDPLMJNZWM23VBhNmmESCnrn
				) ; key id = 65120
dyn.niconet.se.		300 IN DNSKEY 257 3 5 (
				AQPCeNlj/rDZis8yPN8GI2WXJpnoIF1iIiS4xCc8gAJM
				77pmuVEalUqhGhjykMA0uSrWrQu0nBl0FvFCp0vL4T+4
				ZLT7Ug7KOTJauiiEuxj7IGNhHh7az6Q0KXf8Y8i1pvvA
				PPWENZJqUgK1YMTJ6t/GTTGld4elhwz5a3vu2aAc2GpZ
				MAqa9idTC8o8x1A8w9e3B7fr2cMwiMnyk3Mk+2SLZAxU
				dk45S8gBuV0UEEUoU5viSkNOgxeaAprO7ORR/AJB/20V
				EiJ9FAsfnjTcqR57GS5NMeh/cIVm46xBwjEdighCTimn
				yBXmtwdj52hW843DK//9hO6gdEVn1Z84ezud
				) ; key id = 651
dyn.niconet.se.		300 IN RRSIG DNSKEY 5 3 300 20061118080551 (
				20051118080551 651 dyn.niconet.se.
				cNbr1mwi0tCzPSGBdzQfWs7OjvgDIoKJNupf6Arnm4zX
				5EpYDJO8v4XzM4QIrPTGHHEBBmjHYaCeRxbzh0sBf3MD
				ZnD3feNMAXdTFRY+J3fLsZFtfpH8duBNmU3YM13y7B9j
				ZT8mhLTkSPKTeecdNcSZpTy8UzRo/wYNpHnFzGafenwf
				HUNls0qE+m9eR4+l5m006NBuLymgmVnVBcvMXRmcI0gZ
				0wSNeIGtC3WOggE0Aknf47JWH09nt9PogdJ+0Eh2sg7p
				Uf+wxfjLzbEiNjo3z+TdulUp6X774WnY+O0gaIMmxZmV
				POybUM49UJsCgVXPGs1vn2MosPXa/8Mj2A== )
dyn.niconet.se.		300 IN RRSIG DNSKEY 5 3 300 20061118080551 (
				20051118080551 65120 dyn.niconet.se.
				PXQs5HGRmC3N3NSQVxxKEMy7IyJKqkzBmGnfQB7CDOEq
				9BYzxlrU5o4yWktSgaDVy0yDhJYFPW0DU0WHV29TUmCm
				aqV5oMvuj328vSb4MGPIQFR58J2R8aRgj3FyeBcOQYfR
				6UfFyN4o/ZHy8PvcUOFWrPlnereTkfrArIq97o5NrojE
				RndF8v3h0kcdECJ/BgAvCFF4x4TnSHoIooMokfS86vmS
				hUuI5W7afCI9qjkrB+RWtCpuKaeUqstdM188BTxqNAqP
				acGhYICgpo2hmRfdhwAYmdlFjAaDD13hHn26pu/JLa0O
				2bBUPEy4JKjKievm9MZz2eg9z5ClEtuSxA== )

There are two DNSKEYs and both are signed by each other. We can now check
the signature but are still unable to verify the trustworthy of the used keys.

So let's ask for chaining information from parent.

dyn.niconet.se.		300 IN DS 651 5 1 (
				5AA71DA50AD09FA2857E4E695F4979056683F2BF )
dyn.niconet.se.		300 IN RRSIG DS 5 3 300 20070204110034 (
				20060204110034 32669 niconet.se.
				W0Dv73cO2I2DLMaDeUr0ROw1VuQ0/3ejrbH1PUDEVYzq
				nAy93TQY8hlOoz3vPEDXupsOq/H+bvi/94G4ovCHGfD8
				FlkNJwKE6KTu+8QcLJ+8K/08FVJbz30zcCZliA74 )

This is a signed fingerprint for key 651. The signing key has id 32669 in
zone niconet.se. Let's skip the dnskey query for niconet.se and ask the
parent directly.

niconet.se.		86094 IN DS 48132 5 1 (
				14C1848A3B17143389613853CF06EEA76BEBD43F )
niconet.se.		86094 IN RRSIG DS 5 2 86400 20060305195120 (
				20060227200552 17585 se.
				RoDfJvvofrW5JJVYaZFEzFD3AUcAiPeNNgxBeVDJkiVG
				J72SSIrDXI6wEwEiBE2JDiuyR6moduTB96O8CUlXflT8
				8Llzdn1xAVM8p19lSwyJfxMIwDyXxeyi3XuSoRLdAhSV
				gDqAUn1CIFfZkOI9TvnLqmurvAhryQDabQ2SgCo= )

The signing key is 17585 in zone se. There is no signed fingerprint for the
zone se on the root servers. So we have a secure entry point for with we
have to check the trustworthyness.

There are two possibilities:
  a) Find a different way to obtain the key directly from the se-maintainers.
     Install this key as "trusted-keys".
  b) Use a lookaside zone by querying for DLV from se.dnssec.iks-jena.de.

se.dnssec.iks-jena.de.	57600 IN DLV 17686 5 1 (
				9E5E81A0B71A9B6B251077F700AA730E18D712EF )
se.dnssec.iks-jena.de.	57600 IN RRSIG DLV 5 4 57600 20060324223850 (
				20060222223850 890 dnssec.iks-jena.de.
				JShT4Nd3TS+nVLEWhm9pwpIiBncDXj3USKrwo8jLCfhD
				nHhyYEntZcg4UkSKLanhPVW83cVRGAnT/bYuT2qXct1B
				+k8DNPbaff0CNX0coSAim6CzJlf0ICOVM3GZELT2NtNw
				9pd0lZ+289eUIhsvW8xEZ1oZLB0e6clde28BKqI= )

This is a signed fingerprint (same format as DS) for the key 17686 from se.
It is signed by key 890 from dnssec.iks-jena.de. In turn this key is signed
by 41517 from dnssec.iks-jena.de. which has a fingerprint signed by 52706
from iks-jena.de. In turn this key is signed by 30258 from iks-jena.de.

And finally this very last key is marked as trustworthy by your local
configuration. Have fun!