|
Today is a historic day as the first generic Top-Level Domain (gTLD) has been signed. Only a few other top level domains, all of which are country code Top-Level Domains (ccTLDs), have been signed to date. This step is part of the first phase of adoption. Authoritative DNS servers need to sign and publish their zones. The second part is for the resolvers on the Internet to validate the keys. Both systems working together will provide security in the DNS.
We have a test bed setup that you can try at and as part of our commitment to seeing DNSSEC implemented.
To take a look, notice the “ad” specified in the flags section. It stands for authenticated data.
dig @recursive.dyn-dnssec.com gov. +dnssec
; <<>> DiG 9.3.4-P1.1 <<>> @recursive.dyn-dnssec.com gov. +dnssec<br /> ; (1 server found)<br /> ;; global options: printcmd<br /> ;; Got answer:<br /> ;; ->>HEADER<</p><p><- opcode: QUERY, status: NOERROR, id: 22568<br /> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1<br /></p> <p>;; OPT PSEUDOSECTION:<br /> ; EDNS: version: 0, flags: do; udp: 4096<br /> ;; QUESTION SECTION:<br /> ;dnsops.gov. IN A<br /><br /> ;; AUTHORITY SECTION:<br /> dnsops.gov. 3491 IN SOA snip1.dnsops.gov. admin.dnsops.gov. 20081121 43200 43200 1209600 3600<br /> dnsops.gov. 3491 IN RRSIG SOA 5 2 3600 20090225162416 20090126162416 30060 dnsops.gov. Rx7i6V7Q0hEGxmkGtwfqXKROuL4cR/7QaPjrYUuOgqPREysRfS2Sbuw5 MIKDFUpviB0w3cLyeUiDsH9rCzL14atqpeU47LMhmeaUYv6Jyr8bk7YE HoVQYwnF5/LpOrBjbKDDeLPV4hOIc+miyz8aXpobWnYhXjs/cAZ7TV8W Gt0=<br /> dnsops.gov. 3491 IN RRSIG NSEC 5 2 3600 20090225162416 20090126162416 30060 dnsops.gov. gv9ce1tAOEjFqoYRI0muEuMKcuwCaE3htGcKLDo4adMub+5Bgt7on6Fp JIdM5QD4p8j4cl++uZn+Q1ky5iOTQZY+Od2kplzoDZ2RiNgORpfJtUq9 F7dR3pf/1MYraAa5lpQ3lmhNDWtqUe7F1V2w+bnjxMdJ0t0wC7iMSVvE A24=<br /> dnsops.gov. 3491 IN NSEC antd.dnsops.gov. NS SOA MX RRSIG NSEC DNSKEY
For those who want to add the key to their resolver, add the follow key (and dnssec-enable yes; dnssec-validation yes;
)
trusted-keys {<br /> "gov." 257 3 7 "AwEAAZ1OCt7zZxeaROvzXNCNlqQWIi++p5ABXSoxqJ65WQko6xrI9RIm<br /> K7IBT5roFhXjBDGJ8ld9CYIEN94kK83K/QwUGCJ+v3vIQFi09IqsPeRdHTQyghWWbhzAZpnlZ16imXB4<br /> yFZjdbV2iM66KcgsESQMPEcIayDQJh6JEi1wmslrYvRRJ6YPOWrlLD0RmdtCaRuzlUE0RiWSem/i8vDF<br /> dmsSwChRMcORklKqjqt1+RBIiEFJGKIz7lGc9DXRwkBfb+halii+jrELiZAPzfO7rf08l3QlgHEuxclT<br /> TdEaxctPd2O2U/Hl9tRgkxRL/Zv1i0sEx2mOJGcUCeVm4Hf2aM8=";<br /> };
The only concern right now is that the key is only published in the apex of their zone. Right now, there is no secured out of band channel to get it from (I pulled it from an email who got it in the zone data). This is a huge operational challenge as other TLDs become DNSSEC enabled.
Sponsored byRadix
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byIPv4.Global
The dns operational challenge of getting a LOT of dns servers to trust your key has been partially solved by the ISC dlv registry. You can just add
dnssec-lookaside . trust-anchor dlv.isc.org.;
to your named.conf configuration, together with the appropriate trusted-keys for their registry. That gives you one single trust anchor to maintain, and pushes the job of out-of-band secure verification onto ISC, so every individual DNS administrator does not need to do it.
Please get this .gov key added to the ISC dlv tree.
Check below for status of DNSSEC at .gov
https://www.dotgov.gov/dnssecinfo.aspx
Still in test mode at the moment, but coming along nicely. dnsops.gov. is the domain used for the SNIP (http://www.dnsops.gov) and is being used in testing the .gov. roll out.
dougm
Well, I might be curious about the status of DNSSEC in .gov, but not at the cost of going past the following text:
Warning! Use of this site is restricted!
This computer system is for the use of the United States Government. Unauthorized access, or access which exceeds authorized access is punishable under 18 USC 1030.
Let us know how that works out for you.
I noticed that too and am trying to get it fixed. Status page got put behind the login interface for secure delegations (not really ... if you click past this it still shows the status).
Anyway, for those scared off by the warnings ... here is what is says:
***************NOTICE***************
The DotGov is in the process of testing DNSSEC technologies and deployment scenarios for the .gov TLD.
As part of this testing you may notice DNSSEC resource records appearing in the TLD periodically. For the time being, such records should be considered as experimental and these test DNSSEC services are subject to fluctuation and change without further warning. In particular, we recommend not using this experimental service as the basis for validation on production resolvers.
Once testing is completed we will make the official production DNSSEC service declaration announcement on this site. Testing is expected to continue through February.
If your agency wishes to participate in the DNSSEC testing please contact the DotGov help desk. Please address the subject line as DNSSEC TESTING and we will contact you with information.
*************************************
I do not wish to minimize the efforts of the US General Services Administration to deploy DNSSEC, but I would note that the first sponsored gTLD to be signed was actually .museum. See Musedoma’s request to ICANN, and its subsequent approval of a limited testing.
PIR has also taken steps in that direction, which were approved by the ICANN board, but no such request from .GOV has yet been submitted, to my knowledge.
Thank you Patrick. If we were second, or third, we'd still be quite pleased that .museum is signed, and Carl's comment upthread is spot on. See you in Mexico. For the general CircleID reader, I'm the CTO of CORE, which operates the .museum registry back-end, and which signed this zone. Next up for us is signing .cat.
But I'm not optimistic :-(
I’m hoping that PIR is going to be submitting pretty soon, sounds like they are getting close. Eric, what’s the best way to receive museum’s key? Looks like it’s in DLV but do you distribute it elsewhere?
TLD operators can and should submit keys to both IANA’s ITAR at https://itar.iana.org/ and ISC’s DLV Registry.
Sorry but, unlike you, I see no .MUSEUM in the ISC DLV registry.
Ah, the key is just in OARC’s open resolver and thought it was because they had uploaded the key. I see the page https://www.dns-oarc.net/oarc/services/odvr now which lists that the key is not verified. Sorry for the confusion.