Skip to Content.
Sympa Menu

discuss - [opennic-discuss] Progress in DNSSEC

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

[opennic-discuss] Progress in DNSSEC


Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: OpenNIC discussion <discuss AT lists.opennicproject.org>
  • Subject: [opennic-discuss] Progress in DNSSEC
  • Date: Wed, 18 Nov 2015 11:09:11 -0700
  • Authentication-results: mx1.sourpuss.net; dmarc=none header.from=sourpuss.net
  • Dmarc-filter: OpenDMARC Filter v1.3.0 mx1.sourpuss.net 33E522D4F4

As many of you know we have been signing the opennic root zone for some time now, and even some of the TLD zones are signed, however we seem to be falling short on fully enabling dnssec validation on client machines. We should probably start sharing information and see if we can't get a fully compliant service working...

To begin, I have added some information to an existing wiki page. Please see the section "Trusting the Root Zone" near the bottom at http://wiki.opennicproject.org/dnssecroot

I set up a VM to test this, and while the general ICANN zones seem to work and there are no longer errors indicating the root zone is not trusted, there are still failures in validating opennic domains. Specifically, I try to dig grep.geek and get this error:

- validating @0x7f10e9afc530: grep.geek A: got insecure response; parent indicates it should be secure
- error (insecurity proof failed) resolving 'grep.geek/A/IN'

Now the odd thing here is that grep.geek does not have any signing records, although the geek zone itself is signed. I tried adding a new managed-keys entry to the geek zone following what I did in the wiki, but this didn't help the previous error. I know that adding the option "dnssec-lookaside auto;" to BIND is supposed to skip domains that aren't signed, but I don't understand why it thinks grep.geek should be signed.

So, in moving forward, does anyone want to jump in and see if we can resolve this issue so that opennic works when validating dnssec signatures?


  • [opennic-discuss] Progress in DNSSEC, Jeff Taylor, 11/18/2015

Archive powered by MHonArc 2.6.19.

Top of Page