[dns-operations] darkreading article on EDU signing

Michael Graff mgraff at isc.org
Fri Sep 11 18:33:04 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Thompson wrote:

> The first thing that occurred to me was whether we can expect the
> GTLD servers to stop "promoting glue to answer" by the March 2010
> date. Otherwise that problem is going to become a lot more visible.
> 
> Currently, for example: take a zone under edu which is signed and
> in dlv.isc.org, i.e. psc.edu (all others are third-level the last
> time I checked). Flush all entries for it out of the cache on your
> validating-via-dlv.isc.org server, and try
> 
> $ dig +dnssec a dns1.psc.edu
> 
> ; <<>> DiG 9.6.1-P1 <<>> +dnssec a dns1.psc.edu
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36810
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;dns1.psc.edu.                  IN      A
> 
> ;; Query time: 1115 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Sep 11 12:09:50 2009
> ;; MSG SIZE  rcvd: 41

Hmm, I could not reproduce this.

I restarted my server, which is using DLV, and I get this (header and
answer section only):

bigmac:trunk explorer$ dig +dnssec psc.edu a

; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec psc.edu a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16282
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;psc.edu.                       IN      A

;; ANSWER SECTION:
psc.edu.                172800  IN      A       128.182.65.57
psc.edu.                172800  IN      RRSIG   A 5 2 172800
20091010190000 20090908190000 63546 psc.edu.
x7+/c/NrHErWRrHTvwQleJ0WjcXUYmjEd3Ax7giJabIBmgG7V43gELGh
s0HEa9BRp75rnaWnQn15xAsFBkaVaXWKMJ+Ii9UZoTTKrN7OPnOnASAu
ev9Dvv9XiS7OIyxJzKAvsihNLLbBDsyLuLAm/YW9Y+5R2pMHwEP7sFwS CrQ=

...

;; Query time: 1391 msec
;; SERVER: 10.42.255.254#53(10.42.255.254)
;; WHEN: Fri Sep 11 13:31:32 2009
;; MSG SIZE  rcvd: 1016

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqql98ACgkQ+NNi0s9NRJ3DtwCfXgTjYMsV4zXL7ICuVe6BW+gx
Z4gAoJk1Fs8J+a8R7T1EC0u30waneJuA
=nPAc
-----END PGP SIGNATURE-----

More information about the dns-operations mailing list