On Jan 30, 2018, at 9:44 AM, Bob Harold <[email protected]> wrote:
> I would prefer to extend that to the root, and have a DNSSEC signed answer,
> although I realize that is difficult, and would accept the draft without it.
> But we should give some guidance for DNSSEC queries - do we give a bogus
> response with the IP's, or a validated answer of NXDOMAIN ?
It is possible to produce a signed answer, because the domain doesn't exist: if
you query the root and ask for a signed response, you should get one. This
response can be cached locally and returned to stub resolvers that ask for a
signed response.
cavall% dig @a.root-servers.net localhost
; <<>> DiG 9.10.1b1 <<>> @a.root-servers.net localhost
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19121
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;localhost. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2018013001 1800 900 604800 86400
;; Query time: 1539 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Jan 30 11:37:13 CST 2018
;; MSG SIZE rcvd: 113
versus:
cavall% dig +dnssec @a.root-servers.net localhost
; <<>> DiG 9.10.1b1 <<>> +dnssec @a.root-servers.net localhost
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29683
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;localhost. IN A
;; AUTHORITY SECTION:
loans. 86400 IN NSEC locker. NS DS RRSIG NSEC
loans. 86400 IN RRSIG NSEC 8 1 86400 20180212150000
20180130140000 41824 . UZH9Nl/4FLq3t5xOJvrFQzaBf5sktHJHTyHzfTCQSHGR8/0ViSlZ1FGB
eac/wM4QXmDtuHaLI89zTHzsp6Bv2vVz09y/tUVgBfU4UcvkNOnSuToW
fXQaB6MPlqktp9lw0ZHAk4dyOyeBz6MhI+S6BCsY978Yk5kySi/S8kuz
0p5Bc1qUWJYi3xkFUMB1PQe3OCS031ZnM1de+tjcma2EJQgNFScdJbfH
68adi2BQvdhHz0wMTjpItTWTPIEwv11KKi19SzZKEBxQPHRlNC2fVSlV
bwg863ubm4lxmPEH6bdpsspKJObWYU8qC3E3KSXK6+ooBzyAVzI5ERRc yoz9zA==
. 86400 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 86400 IN RRSIG NSEC 8 0 86400 20180212150000
20180130140000 41824 . e/KqZevslC6QTFyDkwWKN5XUAgTLdUiJcoQhuDKcm1H7jgXOb+FMfvbM
/TrFMT+AheiN0pjN3evOrY9H0NN/4SBdrnEtPt1JV37GaQXwK3jEbB48
fLq/zKhmA1vvZY4lalToPYB1R7V4CHW7UIPbMX5HWeP178xmR0Dtc5y/
XI9gNpErCI4MkPoWEpMg4kOyBUtvOT02epRUbTrWovEM5TZkUiMLqGR1
lN09u5ARSOd06jTEhP4PtFvnzqbFMMlYWDl8P5wLzkUEDptsP2GZbFj0
kYEwvjVtihY9lwlY9Hl9r7xy4ucBNqVcZFnrnjEWxuo1vdUd0+3EjujR BplRcw==
. 86400 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2018013001 1800 900 604800 86400
. 86400 IN RRSIG SOA 8 0 86400 20180212150000
20180130140000 41824 . cQULD+MOdwm2zcCes3LXD6buPnAZpfJZRU7zT7GtM4XWx+uQjfWAotkt
gG6CuTzp2UvL2tqKcbHsNg7KjXycYv20OK6IBmu0/QGsSsw7hSmqUZar
B1OR5oQEGJ7v+uH326YIhPyjdqJiTiZ8ka/1tVdt2vYKOSg8qVGkvSgM
72LjFAKKHVYr9GHIAqIo4ZhcnjOpP+ql33Q7MgzkS/rYhPMCmaS4TvOu
ClF/YF+QxhcxSuyZLNH3TtRi+wGQpxu9bEHCd1qnuOnWNO1Kkh69zhNi
NIrqkS2NE/vRkRn5QLeFKe8UCr2u4UM1tmAk9xmVtZu01M01/+WIm0tf WIt3UA==
;; Query time: 80 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Jan 30 11:38:00 CST 2018
;; MSG SIZE rcvd: 1030
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
