Dear Marc,
Thanks for detailed explanation. Now, I understand why I was not getting my AD flag set in query response. I tried from google dns (8.8.8.8) also but didnt get AD bit set. This may be because 8.8.8.8 might not be configured for DLV validation. Is there any open dns available from which I can check my domain for AD flag set????????????? Please don't print this e-mail until & unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI From: Marc Lampo [mailto:marc.la...@eurid.eu] Sent: Wednesday, January 11, 2012 12:52 PM To: 'Gaurav kansal'; bind-users@lists.isc.org Subject: RE: DNSSEC authentication and ad parameter Hello, The authoritative NS for nknsec.in. *does* give answers with corresponding RRSIGs ! $ dig @ns1.nknsec.in. test.nknsec.in. +dnssec +short 10.1.27.25 A 5 3 360 20120204072952 20120105072952 16755 test.nknsec.in. DcLPb3hVDqal64UQe3Vk4NjbMRwSSWHNy4r/Bk42M2WQLZYBt9p7NpIT 6g1AVdP2vyFs2q4CbA/QLUMeVWptvHBNZcA8/M4DpW5GpsOmC3SeZe01 lCUzbANN/+NNg/PwHsPhLUOEatmjZxfrU3lGpxXFF527ohzxXatZdX48 lsM= à there is an A record and a RRSIG over that A record I hope you do not expect that (authoritative) NS to provide answers with AD-bit set ? Because it will not ! Name servers in the authoritative role for a domain will never set the AD-bit; they will provide DNSSEC data (NSEC(3), RRSIG, DNSKEY) allowing validating caching and forwarding name servers to perform validation. Those validating name servers will set the AD-bit to indicate they performed verification and found everything OK. Since, apparently, in .in you cannot get the DS information of your domain published yet, DLV is the only way to somehow establish a chain-of-trust. That requires that validating clients must also be configured for DLV. And my feeling is, with the growing number of top-level-domains getting ready for DNSSEC, there will be less and less demand for DLV (didnt I see a message stating end-of-life ?). Hope this is somehow helpful if only to state that you should not expect AD-bit set from name servers in the authoritative role. Kind regards, Marc Lampo Security Officer EURid (for .eu) From: Gaurav kansal [mailto:gaurav.kan...@nic.in] Sent: 11 January 2012 06:16 AM To: bind-users@lists.isc.org Subject: DNSSEC authentication and ad parameter Dear All, I had purchased a new domain especially for DNSSEC testing. But when I ask my registry to insert my DS keys in .in zone file, I got the answer that .in is still not ready for this although .in is signed. I tried to authenticate my domain through ISC dlv. I upload my DS key there and it is showing a GOOD status for my domain but still I am not getting ad parameter in my dig answer. Anyone please explain what I have to do next so that I can give authenticated answer for test.nknsec.in domain. Zone List <https://dlv.isc.org/users/1632/zones/new> (add a zone) Zone Name Status DNSKEYs Zone Actions test.nknsec.in Good 1 <https://dlv.isc.org/zones/7129/dnskeys/new> (add) <https://dlv.isc.org/zones/7129> (details) <https://dlv.isc.org/zones/7129> (delete) Copyright © 2010 by Internet Systems Consortium. Please don't print this e-mail until & unless you really need, it will save Trees on Planet Earth. IPv4 is Over, Are your ready for new Network. Thanks n Regards, GAURAV KANSAL 9910118448 VoIP - 6259 Operation And Routing Unit NIC , NEW DELHI
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
