discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Jeff Taylor <shdwdrgn AT sourpuss.net>
- To: OpenNIC discussion <discuss AT lists.opennicproject.org>
- Subject: [opennic-discuss] Progress in DNSSEC
- Date: Wed, 18 Nov 2015 11:09:11 -0700
- Authentication-results: mx1.sourpuss.net; dmarc=none header.from=sourpuss.net
- Dmarc-filter: OpenDMARC Filter v1.3.0 mx1.sourpuss.net 33E522D4F4
As many of you know we have been signing the opennic root zone for some time now, and even some of the TLD zones are signed, however we seem to be falling short on fully enabling dnssec validation on client machines. We should probably start sharing information and see if we can't get a fully compliant service working...
To begin, I have added some information to an existing wiki page. Please see the section "Trusting the Root Zone" near the bottom at http://wiki.opennicproject.org/dnssecroot
I set up a VM to test this, and while the general ICANN zones seem to work and there are no longer errors indicating the root zone is not trusted, there are still failures in validating opennic domains. Specifically, I try to dig grep.geek and get this error:
- validating @0x7f10e9afc530: grep.geek A: got insecure response; parent indicates it should be secure
- error (insecurity proof failed) resolving 'grep.geek/A/IN'
Now the odd thing here is that grep.geek does not have any signing records, although the geek zone itself is signed. I tried adding a new managed-keys entry to the geek zone following what I did in the wiki, but this didn't help the previous error. I know that adding the option "dnssec-lookaside auto;" to BIND is supposed to skip domains that aren't signed, but I don't understand why it thinks grep.geek should be signed.
So, in moving forward, does anyone want to jump in and see if we can resolve this issue so that opennic works when validating dnssec signatures?
- [opennic-discuss] Progress in DNSSEC, Jeff Taylor, 11/18/2015
Archive powered by MHonArc 2.6.19.