[dns-operations] darkreading article on EDU signing

Chris Thompson cet1 at cam.ac.uk
Fri Sep 11 11:23:45 UTC 2009 

On Sep 10 2009, Michael Sinatra wrote:

>By now, you've probably read about the impending signing of the EDU 
>zone.  Here's an article from darkreading on the subject:
>
>http://www.darkreading.com/securityservices/security/government/showArticle.jhtml?articleID=219700072
>
>One quote from the article stood out for me:
[...]

The first thing that occurred to me was whether we can expect the
GTLD servers to stop "promoting glue to answer" by the March 2010
date. Otherwise that problem is going to become a lot more visible.

Currently, for example: take a zone under edu which is signed and
in dlv.isc.org, i.e. psc.edu (all others are third-level the last
time I checked). Flush all entries for it out of the cache on your
validating-via-dlv.isc.org server, and try

$ dig +dnssec a dns1.psc.edu

; <<>> DiG 9.6.1-P1 <<>> +dnssec a dns1.psc.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36810
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dns1.psc.edu.                  IN      A

;; Query time: 1115 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 11 12:09:50 2009
;; MSG SIZE  rcvd: 41

Of course that is because of:

$ dig +norec dns1.psc.edu @a.gtld-servers.net.

; <<>> DiG 9.6.1-P1 <<>> +norec dns1.psc.edu @a.gtld-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41272
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;dns1.psc.edu.                  IN      A

;; ANSWER SECTION:
dns1.psc.edu.           172800  IN      A       128.182.58.105

;; AUTHORITY SECTION:
psc.edu.                172800  IN      NS      charon.psc.edu.
psc.edu.                172800  IN      NS      dns1.psc.edu.
psc.edu.                172800  IN      NS      dns2.itd.umich.edu.

;; ADDITIONAL SECTION:
charon.psc.edu.         172800  IN      A       128.182.65.6
dns1.psc.edu.           172800  IN      A       128.182.58.105
dns2.itd.umich.edu.     172800  IN      A       141.211.125.15

;; Query time: 132 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Fri Sep 11 12:15:48 2009
;; MSG SIZE  rcvd: 158

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list