[dns-operations] Comcast Begins DNSSEC Rollout
Casey Deccio
casey at deccio.net
Tue Oct 19 15:22:14 UTC 2010
On Tue, Oct 19, 2010 at 5:56 AM, Griffiths, Chris
<Chris_Griffiths at cable.comcast.com> wrote:
> We are not using DLV to validate zones on our recursive resolvers, we are
> only using the root key as our trust anchor to validate.
Actually, it appears that the servers are using DLV (or some other
trust anchor at debian.org)... or returning the AD bit without
actually validating:
$ dig +dnssec www.debian.org @75.75.75.75
; <<>> DiG 9.6-ESV-R1 <<>> +dnssec www.debian.org @75.75.75.75
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62446
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;www.debian.org. IN A
;; ANSWER SECTION:
www.debian.org. 299 IN A 206.12.19.7
www.debian.org. 299 IN A 128.31.0.51
www.debian.org. 299 IN RRSIG A 5 3 300 20101110141801 20101013141801
38208 www.debian.org.
TQlUj84WkZBokqmDS8EHmRkCs2MTbf2FRobLxnN5tZ6yB6FUiUQbxMA/
pz2SiPTIuVz5AlwX5rGQKR8eJ9GisM+N8HPOGlKG146ytxrD28QBpNxn
NSYSRFsJB6lY9pOfrX0OJ4dSRn4dyCesmd2HejXKzEFDVhS/KHGrOCTy
2A+137LYLUI5npyH6H4xIElN
debian.org is not currently linked securely to .org, but is only in
ISC DLV. Note that responses for .gov names (also not yet linked to
the root zone) are also returning the AD bit (as appropriate).
> That being said,
> there appears to be an issue with couple of cached names on that
> particular node and we will take a look.
>
When I queried (last night) with the +cd flag, I received a response,
so whatever the issue, it did seem to be DNSSEC-related.
Regards,
Casey
More information about the dns-operations
mailing list