Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

As many of you know we have been signing the opennic root zone for some 
time now, and even some of the TLD zones are signed, however we seem to 
be falling short on fully enabling dnssec validation on client 
machines.  We should probably start sharing information and see if we 
can't get a fully compliant service working...

To begin, I have added some information to an existing wiki page. Please 
see the section "Trusting the Root Zone" near the bottom at 
http://wiki.opennicproject.org/dnssecroot

I set up a VM to test this, and while the general ICANN zones seem to 
work and there are no longer errors indicating the root zone is not 
trusted, there are still failures in validating opennic domains.  
Specifically, I try to dig grep.geek and get this error:

- validating @0x7f10e9afc530: grep.geek A: got insecure response; parent 
indicates it should be secure
- error (insecurity proof failed) resolving 'grep.geek/A/IN'

Now the odd thing here is that grep.geek does not have any signing 
records, although the geek zone itself is signed.  I tried adding a new 
managed-keys entry to the geek zone following what I did in the wiki, 
but this didn't help the previous error.  I know that adding the option 
"dnssec-lookaside auto;" to BIND is supposed to skip domains that aren't 
signed, but I don't understand why it thinks grep.geek should be signed.

So, in moving forward, does anyone want to jump in and see if we can 
resolve this issue so that opennic works when validating dnssec signatures?