[dns-operations] Fun with DNAME and DNSSEC

Tue Jan 28 15:51:58 UTC 2014

We have an interesting reverse DNS setup. The University of Cambridge
Computer Laboratory has its own /16 of which they have allocated the upper
half for university-wide use; rather than delegating 128 sub-zones we use
DNAME to greatly reduce the amount of key management bureaucracy. There is
some example dig output below.

We now have secure delegation chains for both the reverse DNS down to
232.128.in-addr.arpa where the DNAMEs live, and to the DNAME target zone
in-addr.arpa.cam.ac.uk where the PTR records live.

So I thought it would be amusing to see what various debugging tools do
with these domain names.

The Verisign Labs DNSSEC debugger does quite well, though it does not
understand that CNAME records synthesized from DNAME records do not have
RRSIG records.

http://dnssec-debugger.verisignlabs.com/252.252.232.128.in-addr.arpa

The Sandia DNSViz tool seems to be discombobulated by something, and fails
to show anything unless I turn on the "denial of existence" option.

http://dnsviz.net/d/252.252.232.128.in-addr.arpa/dnssec/

; <<>> DiG 9.10.0a1 <<>> +dnssec +multiline +noauthority +noadditional 252.252.232.128.in-addr.arpa in ptr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64633
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 18

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;252.252.232.128.in-addr.arpa. IN PTR

;; ANSWER SECTION:
252.232.128.in-addr.arpa. 78164 IN DNAME 252.232.128.in-addr.arpa.cam.ac.uk.
252.232.128.in-addr.arpa. 78164 IN RRSIG DNAME 5 5 86400 (
                                20140214154356 20140115150233 48747 232.128.IN-ADDR.ARPA.
                                K/9DBl1nZ+arz42ZYJFruVQE7xiC9AOba3IPH+gKfV6o
                                nLdEUOGNmXQd9W4YHZ+XPxjSxrp5tHTid/a+b1Ngf4ai
                                18HW6El2HXy4qhGMLCFrH9mwWOZpiLKr4tANUGA2Ofst
                                8FAzoH+ZnIMmT1DAEcGmSZ+UZvlXZmZWQFCWjwA= )
252.252.232.128.in-addr.arpa. 78164 IN CNAME 252.252.232.128.in-addr.arpa.cam.ac.uk.
252.252.232.128.in-addr.arpa.cam.ac.uk. 78164 IN PTR gw-223.route-opress.net.cam.ac.uk.
252.252.232.128.in-addr.arpa.cam.ac.uk. 78164 IN RRSIG PTR 5 9 86400 (
                                20140220054710 20140123155918 16635 in-addr.arpa.cam.ac.uk.
                                LcXH4IRs1y1NVNEFuZN1Wt3l/JJxWi2qZX4QfW1eZERP
                                KlfHzIz4Mx/IzMr2f6vZ5zuluxE1uYTA+RIWhg3Lst0K
                                mECrDDnEtuy8ZE3iclKajXTDjNI23o+NhQ4gLcpHkxNb
                                GMocc6LoT8lyetbf88JdDsc= )

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Jan 28 14:41:48 GMT 2014
;; MSG SIZE  rcvd: 2316

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.