Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

That's not exactly true...  I believe over half of the TLDs have functional dnssec records, but outside of the TLDs I manage on be.libre, only .chan and .o have submitted keys to include in the root zone (and the key for .o is expired).

As for whether it is ready to use...  well every time I say it passes all testing someone comes along and tells me it fails for them -- but cannot provide me with any example to reproduce the failures they claim.  If anyone wishes to test the validity of the dnssec keys in opennic's root zone, and provide me with *clear* command-line tests that show a particular failure, I would be happy to investigate and make corrections if needed.  We DO want dnssec to work properly, and the keys have been available in our root zone for around three years now.

One other bit of useful info to remind folks of... There is an API page which will provide the current public dnssec keys: https://api.opennicproject.org/keys/

If you want to query a specific TLD, add it as an option to the end of the url.  For example: https://api.opennicproject.org/keys/?opennic.glue

Of course you can also obtain the same information from the command line:
# dig libre. DNSKEY +short

On 10/22/2017 07:26 AM, Jonah Aragon wrote:

DNSSEC is enabled on every TLD. It’s enabled on the root right now but I’m not sure if it’s functional. It isn’t validated by any Tier 2 resolvers, which is the most important step anyways, so it isn’t currently in use. But theoretically it could be. Needs some testing before we ask everyone to enable it though.