[dns-operations] issue with DNSSEC on one of the root NS with IPv6?

Alarig Le Lay alarig at swordarmor.fr
Tue May 16 22:55:01 UTC 2017


On mar. 16 mai 22:43:19 2017, Jim Reid wrote:
> 
> > On 16 May 2017, at 22:15, Alarig Le Lay <alarig at swordarmor.fr> wrote:
> > 
> > The root zone is not signed. Either with IPv6 or IPv4.
> 
> You’ve not really got a clear grasp of this DNS thing, have you?
> 
> 1) The root zone has been signed for almost 7 years.
> 
> 2) It doesn’t matter to DNSSEC if queries and responses use IPv4 or
> IPv6. Secure DNS works just fine with both. Well, modulo some corner
> cases with fragmentation which don’t matter here.
> 
> 3) The DS record indicates that a child (delegation) is signed. It
> goes in the parent zone, not the child zone.
> 
> 4) Asking for a DS record for “.” makes no sense. The root zone by
> definition does not have a parent zone. Which is where the DS record
> for its KSK would be. If such a DS record existed. Which it doesn’t.
> 
> 5) Try asking the root servers for DNSKEY records for “.”.

Seems to be a bad idea to read about the root-servers.net. (which is not
signed in this instance) and an email about a root server missing (or
discarding) DNSSEC signatures for the root zone (especially when lacking
of coffee).
I mixed it in my mind, resulting of doing a (pointless, as you
noticed) test against . but thinking about root-servers.net.
The original goal was to show that there is no signature delegation in
net. for root-servers.net.; but starting from the top, there is no
parent zone to check, so the test became a bit awkward.

The IPv4 and IPv6 where there to display that the result is the same
with both protocols as the F’s IPv6 address was expressly mentioned.

Sorry for the noise, and time to sleep in there.
-- 
alarig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170517/589909ef/attachment.sig>


More information about the dns-operations mailing list