Re: [Dnssec-deployment] examples of deeper DNSSEC delegations
On 21 June 2015 at 01:40, Michael Richardson m...@sandelman.ca wrote: I'm looking for real-life examples of DNSSEC delegations that are more than 3 levels deep. A production zone maintained by me: http://dnsviz.net/d/rfs.le.ac.uk/dnssec/
Re: [Dnssec-deployment] examples of deeper DNSSEC delegations
Not quite real world as I use it for various dnssec tests (incl cds), but fwiw: www.kona.cds.zx.com -Rick -Original Message- From: dnssec-deployment-boun...@dnssec-deployment.org [mailto:dnssec-deployment-boun...@dnssec-deployment.org] On Behalf Of Michael Richardson Sent: Saturday, June 20, 2015 9:40 PM To: DNSSEC Deployment List Subject: [Dnssec-deployment] examples of deeper DNSSEC delegations I'm looking for real-life examples of DNSSEC delegations that are more than 3 levels deep. isoc.org is for instance, .-org, org-isoc, isoc.org-RRset. Yes, I can fabricate some, but I want to be able to point to real world situations where this is occuring. [cra.gc.ca *ought* to be a good example, and they ought to be using DANE too, but my government is too lame for DNSSEC] ox.ac.uk would be a good example, as ac.uk is signed, and not run by uk, but ox.ac.uk is not signed. nominet.org.uk -- doesn't work as org.uk is not a cut point. gov.uk would work, are there signed entries under that? co.uk won't work, as uk runs that, AFAIK. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails [ smime.p7s Description: S/MIME cryptographic signature
Re: [Dnssec-deployment] examples of deeper DNSSEC delegations
On 21 Jun 2015, at 01:40, Michael Richardson m...@sandelman.ca wrote: gov.uk would work, are there signed entries under that? No. cabinet-office.gov.uk was signed for a brief test some months ago. But it isn't signed any more. AFAIK that was the only signed delegation in gov.uk. If you're looking for deep signed delegations, in-addr.arpa would be your best bet: gromit% drill -S 10.140.49.185.in-addr.arpa ptr ;; Number of trusted keys: 1 ;; Chasing: 10.140.49.185.in-addr.arpa. PTR DNSSEC Trust tree: 10.140.49.185.in-addr.arpa. (PTR) |---140.49.185.in-addr.arpa. (DNSKEY keytag: 13128 alg: 8 flags: 256) |---140.49.185.in-addr.arpa. (DNSKEY keytag: 6107 alg: 8 flags: 257) |---140.49.185.in-addr.arpa. (DS keytag: 6107 digest type: 2) |---185.in-addr.arpa. (DNSKEY keytag: 31591 alg: 5 flags: 256) |---185.in-addr.arpa. (DNSKEY keytag: 49879 alg: 5 flags: 257) |---185.in-addr.arpa. (DS keytag: 49879 digest type: 1) | |---in-addr.arpa. (DNSKEY keytag: 2485 alg: 8 flags: 256) | |---in-addr.arpa. (DNSKEY keytag: 53696 alg: 8 flags: 257) | |---in-addr.arpa. (DS keytag: 53696 digest type: 2) | |---arpa. (DNSKEY keytag: 45159 alg: 8 flags: 256) | |---arpa. (DNSKEY keytag: 42581 alg: 8 flags: 257) | |---arpa. (DS keytag: 42581 digest type: 1) | | |---. (DNSKEY keytag: 48613 alg: 8 flags: 256) | | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) | |---arpa. (DS keytag: 42581 digest type: 2) | |---. (DNSKEY keytag: 48613 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---185.in-addr.arpa. (DS keytag: 49879 digest type: 2) |---in-addr.arpa. (DNSKEY keytag: 2485 alg: 8 flags: 256) |---in-addr.arpa. (DNSKEY keytag: 53696 alg: 8 flags: 257) |---in-addr.arpa. (DS keytag: 53696 digest type: 2) |---arpa. (DNSKEY keytag: 45159 alg: 8 flags: 256) |---arpa. (DNSKEY keytag: 42581 alg: 8 flags: 257) |---arpa. (DS keytag: 42581 digest type: 1) | |---. (DNSKEY keytag: 48613 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---arpa. (DS keytag: 42581 digest type: 2) |---. (DNSKEY keytag: 48613 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful
Re: [Dnssec-deployment] examples of deeper DNSSEC delegations
On 20 Jun 2015, at 20:40, Michael Richardson wrote: I'm looking for real-life examples of DNSSEC delegations that are more than 3 levels deep. isoc.org is for instance, .-org, org-isoc, isoc.org-RRset. So, you're counting secure delegations, not hand-off between different keys. ox.ac.uk would be a good example, as ac.uk is signed, and not run by uk, but ox.ac.uk is not signed. As usual, you should have been looking at the other university. http://dnsviz.net/d/dns0.cl.cam.ac.uk/dnssec/ Joe
Re: [Dnssec-deployment] examples of deeper DNSSEC delegations
Check bncr.fi http://bncr.fi/.cr or bnonline.fi http://bnonline.fi/.cr Not only real live, but transactional web site! regards, On Jun 20, 2015, at 9:40 PM, Michael Richardson m...@sandelman.ca wrote: I'm looking for real-life examples of DNSSEC delegations that are more than 3 levels deep. isoc.org is for instance, .-org, org-isoc, isoc.org-RRset. Yes, I can fabricate some, but I want to be able to point to real world situations where this is occuring. [cra.gc.ca *ought* to be a good example, and they ought to be using DANE too, but my government is too lame for DNSSEC] ox.ac.uk would be a good example, as ac.uk is signed, and not run by uk, but ox.ac.uk is not signed. nominet.org.uk -- doesn't work as org.uk is not a cut point. gov.uk would work, are there signed entries under that? co.uk won't work, as uk runs that, AFAIK. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails [ signature.asc Description: Message signed with OpenPGP using GPGMail