This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC: Signed zones list
- Previous message (by thread): [dns-wg] DNSSEC: Signed zones list
- Next message (by thread): [dns-wg] DNSSEC: Signed zones list
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Lutz Donnerhacke
lutz at iks-jena.de
Tue Feb 28 13:27:16 CET 2006
* Max Tulyev wrote: > So what exactly I should do with this? In your named.conf: options { ... dnssec-enable yes; dnssec-lookaside "." trust-anchor "dnssec.iks-jena.de"; }; trusted-keys { "iks-jena.de." 257 3 5 "AQPRteOmx973cbeIMigT7nciz3dcbt8ssZPGOK2vtPQl EaZO2fKgnm1Fo6FPWcGqKv6O1ZpjEw2upKVDnzwMCRHp Ge0Qh2TawStviww/jxUtjoZom9Hy6uIkTvo7TxqnWg55 LoHlcsl1kxsF1PsM2Z88F1XhXSrUtkiQnViXbfzR0joD E8xGJ9zRNuzr9Jik+bcv4S4KFOE/Ocn4F5vF7+eojz9m 3/u0gvQdvgFsb7OHr9cYA5GeG++cJWGG6xFF+yWEDdWu u2A7IJM3EQFWLr0kGDS6oWo/5Bz4PlrURjU5wahM1iwL nbKXhQQempzPYnSEs1CW+KH73WjMa76Dna9B"; }; What happens now? Image you query the A record for coruscant.dyn.niconet.se. coruscant.dyn.niconet.se. 38 IN A 213.114.39.13 coruscant.dyn.niconet.se. 38 IN RRSIG A 5 4 60 20070120160745 ( 20060119150745 651 dyn.niconet.se. F5vLlZAn5k/Mtaw6PSzkxTaTtHS8myV95eEOugY5lepf PJIiFbV5HiHZSDpoNXjAhzWzHY96+R0Wd7Qu2UUr3gDn Z/YXoHzLqC3lzRS9HSVx9HzzPixjt0/8ChhEK0QMUuhh lN8Xq90ayiUdtkK6jDM5CG27VjMbtr/de4475TSmBOut m+Jd/B+E8s+OzHTNXphAM0LgGjhS1IZcpMoQyfPbosbD K6VqD79nJdjzPZlmE2f0cFesELkJEHC1bcRA32W3BwI6 k+UB1T+yqf4TJj25BoTwfWVP/AEe4BHe1at44K6LDA2f bQc9ibWFGup/O8S8IkcNi76AiA2XVibcjA== ) coruscant.dyn.niconet.se. 38 IN RRSIG A 5 4 60 20070120160745 ( 20060119150745 65120 dyn.niconet.se. T+4KN4Ol3e6cPLy7ue4wSd9VwnCWYLxvOSljCtWnQxKp oCvrNjkkAV0j1AHHqI5nMK63mbyb+tUudq/3jFX5WhCl hCaSWFNH+LIB5982VixgodqCUKJrUTfB2bB33ZD320PO msa1H3bJ532Vf2BudACn40bNdjc87mW4sGwv9g7FzEJ0 yuEkem+fm0AAP2qKBXRkiTSJwo6I3LiwIWODJenAP8XZ odhk+PWipFQSNhnPRd3tYIKUYHIOOUMaEFECTdtyTsaM K8fIgE1AD6b6XjiQx9eDolIvDmSELc/K12L4qCWJbh84 burp6AXMm5TpzTCJMbXuc/xPZJIW7D2T/g== ) As you can see, it's signed! Let's check the signatures. First we need the key. From the RRSIG entries both keys resides in the the zone dyn.niconet.se. and has the key id 651 and 65120. So let's retrieve those DNSKEYs. dyn.niconet.se. 300 IN DNSKEY 256 3 5 ( AQOfq5czkMFmGPBCa8lXbM+yyNPfBQvn9Uomj3to07kz NegN4gqPdfXy2lIhYJ9JF1wQ7bvG2J3fo1Ysu9E2AIn3 hdesGyiAEGXO1PJqMYmts/1tXtE2HQ8LNa+omo90Ph2O 5cJN5YKDXdYJ1fZzfJrpza6VHmSeXrVQMsQYx8nO69ns rCtmMhopXp9I+Vvv9e7eG8/c4ji60AgigNGYro7GbUQQ 4YicoRL7USZiXEVWstzXXk+XQ+5IOny6+Q7rij7fdipM CZ41vvJ2N0ETMfzZuYR3AcaWVauOxITVnobVZaFfZ5Us 5Id2FSyW8A1AvDPLMJNZWM23VBhNmmESCnrn ) ; key id = 65120 dyn.niconet.se. 300 IN DNSKEY 257 3 5 ( AQPCeNlj/rDZis8yPN8GI2WXJpnoIF1iIiS4xCc8gAJM 77pmuVEalUqhGhjykMA0uSrWrQu0nBl0FvFCp0vL4T+4 ZLT7Ug7KOTJauiiEuxj7IGNhHh7az6Q0KXf8Y8i1pvvA PPWENZJqUgK1YMTJ6t/GTTGld4elhwz5a3vu2aAc2GpZ MAqa9idTC8o8x1A8w9e3B7fr2cMwiMnyk3Mk+2SLZAxU dk45S8gBuV0UEEUoU5viSkNOgxeaAprO7ORR/AJB/20V EiJ9FAsfnjTcqR57GS5NMeh/cIVm46xBwjEdighCTimn yBXmtwdj52hW843DK//9hO6gdEVn1Z84ezud ) ; key id = 651 dyn.niconet.se. 300 IN RRSIG DNSKEY 5 3 300 20061118080551 ( 20051118080551 651 dyn.niconet.se. cNbr1mwi0tCzPSGBdzQfWs7OjvgDIoKJNupf6Arnm4zX 5EpYDJO8v4XzM4QIrPTGHHEBBmjHYaCeRxbzh0sBf3MD ZnD3feNMAXdTFRY+J3fLsZFtfpH8duBNmU3YM13y7B9j ZT8mhLTkSPKTeecdNcSZpTy8UzRo/wYNpHnFzGafenwf HUNls0qE+m9eR4+l5m006NBuLymgmVnVBcvMXRmcI0gZ 0wSNeIGtC3WOggE0Aknf47JWH09nt9PogdJ+0Eh2sg7p Uf+wxfjLzbEiNjo3z+TdulUp6X774WnY+O0gaIMmxZmV POybUM49UJsCgVXPGs1vn2MosPXa/8Mj2A== ) dyn.niconet.se. 300 IN RRSIG DNSKEY 5 3 300 20061118080551 ( 20051118080551 65120 dyn.niconet.se. PXQs5HGRmC3N3NSQVxxKEMy7IyJKqkzBmGnfQB7CDOEq 9BYzxlrU5o4yWktSgaDVy0yDhJYFPW0DU0WHV29TUmCm aqV5oMvuj328vSb4MGPIQFR58J2R8aRgj3FyeBcOQYfR 6UfFyN4o/ZHy8PvcUOFWrPlnereTkfrArIq97o5NrojE RndF8v3h0kcdECJ/BgAvCFF4x4TnSHoIooMokfS86vmS hUuI5W7afCI9qjkrB+RWtCpuKaeUqstdM188BTxqNAqP acGhYICgpo2hmRfdhwAYmdlFjAaDD13hHn26pu/JLa0O 2bBUPEy4JKjKievm9MZz2eg9z5ClEtuSxA== ) There are two DNSKEYs and both are signed by each other. We can now check the signature but are still unable to verify the trustworthy of the used keys. So let's ask for chaining information from parent. dyn.niconet.se. 300 IN DS 651 5 1 ( 5AA71DA50AD09FA2857E4E695F4979056683F2BF ) dyn.niconet.se. 300 IN RRSIG DS 5 3 300 20070204110034 ( 20060204110034 32669 niconet.se. W0Dv73cO2I2DLMaDeUr0ROw1VuQ0/3ejrbH1PUDEVYzq nAy93TQY8hlOoz3vPEDXupsOq/H+bvi/94G4ovCHGfD8 FlkNJwKE6KTu+8QcLJ+8K/08FVJbz30zcCZliA74 ) This is a signed fingerprint for key 651. The signing key has id 32669 in zone niconet.se. Let's skip the dnskey query for niconet.se and ask the parent directly. niconet.se. 86094 IN DS 48132 5 1 ( 14C1848A3B17143389613853CF06EEA76BEBD43F ) niconet.se. 86094 IN RRSIG DS 5 2 86400 20060305195120 ( 20060227200552 17585 se. RoDfJvvofrW5JJVYaZFEzFD3AUcAiPeNNgxBeVDJkiVG J72SSIrDXI6wEwEiBE2JDiuyR6moduTB96O8CUlXflT8 8Llzdn1xAVM8p19lSwyJfxMIwDyXxeyi3XuSoRLdAhSV gDqAUn1CIFfZkOI9TvnLqmurvAhryQDabQ2SgCo= ) The signing key is 17585 in zone se. There is no signed fingerprint for the zone se on the root servers. So we have a secure entry point for with we have to check the trustworthyness. There are two possibilities: a) Find a different way to obtain the key directly from the se-maintainers. Install this key as "trusted-keys". b) Use a lookaside zone by querying for DLV from se.dnssec.iks-jena.de. se.dnssec.iks-jena.de. 57600 IN DLV 17686 5 1 ( 9E5E81A0B71A9B6B251077F700AA730E18D712EF ) se.dnssec.iks-jena.de. 57600 IN RRSIG DLV 5 4 57600 20060324223850 ( 20060222223850 890 dnssec.iks-jena.de. JShT4Nd3TS+nVLEWhm9pwpIiBncDXj3USKrwo8jLCfhD nHhyYEntZcg4UkSKLanhPVW83cVRGAnT/bYuT2qXct1B +k8DNPbaff0CNX0coSAim6CzJlf0ICOVM3GZELT2NtNw 9pd0lZ+289eUIhsvW8xEZ1oZLB0e6clde28BKqI= ) This is a signed fingerprint (same format as DS) for the key 17686 from se. It is signed by key 890 from dnssec.iks-jena.de. In turn this key is signed by 41517 from dnssec.iks-jena.de. which has a fingerprint signed by 52706 from iks-jena.de. In turn this key is signed by 30258 from iks-jena.de. And finally this very last key is marked as trustworthy by your local configuration. Have fun!
- Previous message (by thread): [dns-wg] DNSSEC: Signed zones list
- Next message (by thread): [dns-wg] DNSSEC: Signed zones list
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]