In message <573607.58516...@web114302.mail.gq1.yahoo.com>, Heavy Man writes: > A few questions about DNSSEC... > > I understand the root zones are currently getting signed. Just for sanit= > y sake, should I be able to DIG +dnssec a.gtld-servers.net and be able to s= > ee a RRSIG record (assume I have a valid dnssec recursive name server with = > a valid trust anchor configured). Check out the following...
Firstly it would be a.root-servers.net, not a.gtld-servers.net. Secondly root-servers.net is not signed and doesn't need to be. > Also, referense the following URL.. > > https://ns.iana.org/dnssec/root.zone.signed > > I assume this data is correct. Is there a security risk publishing this = > data? I understand DNS is public information but why wouldn't the root b= > e signed using nsec3 versus nsec? Because there is no benefit to signing with NSEC3. * The entire zone is publicly available so you don't need the obscuration. * The zone is so small that you don't need optout. Also NSEC3 is more expensive to operationally. The authortative servers need to do more work to serve the zone and validators need to do more work to check the answers. You don't use NSEC3 unless there is a real benefit to using it. If you just have a http server and email don't go using NSEC3. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
