In message <4B7A502F.8000204@knownelement.com>, Charles N Wyble writes:
Repeat for IPv6.
dig -6 ns . +norec @l.root-servers.net dig -6 ns . +dnssec +cd +norec @l.root-servers.net dig -6 any . +dnssec +cd +norec @l.root-servers.net dig -6 any . +dnssec +cd +norec @l.root-servers.net +vc
Mark
Thank you. That's a nice quick/dirty test.
All 4 commands worked.
If folks are curious, my setup is Ubuntu 9.10 client, Ubuntu 9.10 server running bind and a cisco 1841 running 12.4(18). I don't have a Windows box handy to test on. How would one test with nslookup anyway? Or does it only matter if the local DNS server can do the lookup and clients will just work? Though one would still need to test from Windows if you have AD for DNS I suppose. *shrugs*
Ok.... that's the client side.
That's a path test. Next are system tests. You should get answers to all of below and you should have "ad" set in the "se" query. named.test.conf: trusted-keys { dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh"; }; options { listen-on port 4444 { 127.0.0.1; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org; }; dig -p 4444 @127.0.0.1 +dnssec se soa dig -p 4444 @127.0.0.1 +dnssec . dig -p 4444 @127.0.0.1 +dnssec www.microsoft.com Once you are confident you can add these to you normal named.conf. See https://www.isc.org/solutions/dlv for more details and subscribe to dlv-announce@isc.org so you will get reminders about when to update the trusted-keys statement. When the root is signed you will want to add a trusted-keys clause for it as well. I wouldn't suggest tracking more trusted keys than that for the moment.
How about the server side?
I'm currently using my registrars DNS servers. I haven't seen anything in their control panel about DNSSEC. One item on my TODO list is to move DNS to my BIND servers.
Quick search turns up http://www.howtoforge.com/debian_bind9_master_slave_system which mentions a few commands and couple stanzas. Is that all it takes? How do you verify that you are .... compliant? complete? I mean SSL based PKI is pretty straightforward and I understand it and can verify that I'm compliant/complete (run my own ca, issue certs, delegate trust etc). Guess I need to do more reading on DNSSEC and how to integrate into the global DNSSEC infrastructure (such as it is and will emerge to be). I have a test domain that I use for things like this. I would like to setup DNSSEC and then positively/negatively test it. Just not sure how. Presumably one should attempt to MITM the request and make sure the resolver complains yes?
This is at my home network and as such I have a great degree of latitude. For folks who have managers to report to, what are the justifications for deploying DNSSEC?
I think one would do it in stages
1)Make sure their infrastructure can at least handle the DNS protocol changes that DNSSEC brings about (ie the 4 test commands above pass)
2)Implement a parallel environment with and without DNSSEC (is this possible/desirable?)
3)Sign their records.
Anyway just some thoughts.
Thanks to folks who have responded so far. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkt6UCoACgkQJmrRtQ6zKE/bAACgtNtqptEN0X1deA+gbr+HilOx OJ0AoKyLc6soMTi4aKQI4u6HUTWxr7tt =r7yW -----END PGP SIGNATURE-----
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org