[dns-operations] Comcast Begins DNSSEC Rollout

Casey Deccio casey at deccio.net
Tue Oct 19 15:22:14 UTC 2010


On Tue, Oct 19, 2010 at 5:56 AM, Griffiths, Chris
<Chris_Griffiths at cable.comcast.com> wrote:
> We are not using DLV to validate zones on our recursive resolvers, we are
> only using the root key as our trust anchor to validate.

Actually, it appears that the servers are using DLV (or some other
trust anchor at debian.org)... or returning the AD bit without
actually validating:

$ dig +dnssec www.debian.org @75.75.75.75

; <<>> DiG 9.6-ESV-R1 <<>> +dnssec www.debian.org @75.75.75.75
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62446
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;www.debian.org.			IN	A

;; ANSWER SECTION:
www.debian.org.		299	IN	A	206.12.19.7
www.debian.org.		299	IN	A	128.31.0.51
www.debian.org.		299	IN	RRSIG	A 5 3 300 20101110141801 20101013141801
38208 www.debian.org.
TQlUj84WkZBokqmDS8EHmRkCs2MTbf2FRobLxnN5tZ6yB6FUiUQbxMA/
pz2SiPTIuVz5AlwX5rGQKR8eJ9GisM+N8HPOGlKG146ytxrD28QBpNxn
NSYSRFsJB6lY9pOfrX0OJ4dSRn4dyCesmd2HejXKzEFDVhS/KHGrOCTy
2A+137LYLUI5npyH6H4xIElN


debian.org is not currently linked securely to .org, but is only in
ISC DLV.  Note that responses for .gov names (also not yet linked to
the root zone) are also returning the AD bit (as appropriate).

> That being said,
> there appears to be an issue with couple of cached names on that
> particular node and we will take a look.
>

When I queried (last night) with the +cd flag, I received a response,
so whatever the issue, it did seem to be DNSSEC-related.

Regards,
Casey



More information about the dns-operations mailing list