DNSSEC Status...

[Heavy Man]

A few questions about DNSSEC...

I understand the root zones are currently getting signed.  Just for sanity 
sake, should I be able to DIG +dnssec a.gtld-servers.net and be able to see a 
RRSIG record (assume I have a valid dnssec recursive name server with a valid 
trust anchor configured).  Check out the following...

[r...@int-dns ~]# dig +dnssec a.gtld-servers.net
; <<>> DiG 9.6.1-P1 <<>> +dnssec a.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54144
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;a.gtld-servers.net.            IN      A
;; ANSWER SECTION:
a.gtld-servers.net.     171425  IN      A       192.5.6.30
;; AUTHORITY SECTION:
gtld-servers.net.       171424  IN      NS      d2.nstld.com.
gtld-servers.net.       171424  IN      NS      f2.nstld.com.
gtld-servers.net.       171424  IN      NS      a2.nstld.com.
gtld-servers.net.       171424  IN      NS      g2.nstld.com.
gtld-servers.net.       171424  IN      NS      l2.nstld.com.
gtld-servers.net.       171424  IN      NS      e2.nstld.com.
gtld-servers.net.       171424  IN      NS      c2.nstld.com.
gtld-servers.net.       171424  IN      NS      h2.nstld.com.
;; Query time: 130 msec
;; SERVER: 10.10.10.1#53(10.10.10.1)
;; WHEN: Tue Jun  1 09:46:13 2010
;; MSG SIZE  rcvd: 208


Also, referense the following URL..

https://ns.iana.org/dnssec/root.zone.signed

I assume this data is correct.  Is there a security risk publishing this data?  
I understand DNS is public information but why wouldn't the root be signed 
using nsec3 versus nsec?

Thanks.


      

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users