dnssec-validation and root hints. why need to validate entries in root hints?

Sun, 24 May 2009 00:12:05 -0700 

Hi!

I have a DNSSEC isolated testlab and we simulated signining of a ccTLD. I and 
my friends already finished setting up the following:

1. client (resolvers)
2. DNS cache server (having a customized ROOT HINTS)
3. ROOT server (without root hints and with "." zone)
4. primary DNS server for "tld", "net.tld" and "testbed.net.tld" zones
5. secondary DNS server for "tld", "net.tld" and "testbed.net.tld" zones
6. primary Dns server for "domain.tld"
7. secondary Dns server for "domain.tld"

To make this posting short, I'll not narrate everything but rather inform you 
that everything was set-up correctly and that client can query the RRs of 
domain.tld perfectly.

However, when we signed the "tld" zone and provided the trusted-key of "tld" 
for DNS cache server and activated dnssec-enable yes; (which in turn enabled 
dnssec-validation), The DNS cache server resulted to not being able to find the 
hostname of "ns1test.testbed.net.tld"

Here's the root hints:

.                               3600000         NS      ns1test.testbed.net.tld.
ns1test.testbed.net.tld.       3600000         A       192.168.1.212


Tacking the problem down, I have the "tld" zone signed, "net.tld" signed and DS 
RR correctly defined in "tld", but the "testbed.net.tld" is NOT signed... so we 
signed it and added the DS in 'net.tld'... and it worked! (In theory I can also 
have the root hints to have a different FQDN and it would still work)

Note: the root zone "." is not signed.


Direct to the question:

Q: I understand that BIND needs to validate *everything* once dnssec-validation 
is turned ON and when a trusted-key is set-up. But why does it need to validate 
the entries of its own ROOT HINTS? Is'nt it trust-worthy enough since the 
mapping is already on the file? should'nt be an exemption is good in this caes? 
also, the zone to be queried is the "." (root zone) so why need to validate the 
"tld"?

I also have a production DNS cache server that have trusted-keys for "se", 
"gov", "dlv.isc.org", etc... and dnssec-validation enabled, (I have'nt tried 
this yet) but in theory if will add a (fictitious) trusted-key for "net", will 
it totally break my DNS cache?
A.ROOT-SERVERS.NET.



Thanks!



      
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to