Thanks for hint. I also found this a useful link: https://dlv.isc.org/about/using
-dani On Sun, May 16, 2010 at 11:52 AM, Rubens Kuhl <rube...@gmail.com> wrote: > You probably need a trust anchor as well. > See http://ftp.isc.org/isc/pubs/tn/isc-tn-2006-1.html. > > Rubens > > > On Sun, May 16, 2010 at 3:14 PM, itservices88 <itservice...@gmail.com> > wrote: > > Hi, > > > > I was building a test domain for trying out the dnssec. However as > mentioned > > on various websites "ad" appears in the flags, but i can't see it. The > > domain i am using is not real and i am testing from the same machine, > > Fedora-12. Any help? > > > > Thanks > > > > > > options { > > dnssec-enable yes; > > dnssec-validation yes; > > }; > > > > [r...@ns1 named-data]# dig +dnssec @localhost www > > ; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 <<>> +dnssec @localhost www > > ; (2 servers found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16601 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags: do; udp: 4096 > > ;; QUESTION SECTION: > > ;www. IN A > > ;; AUTHORITY SECTION: > > . 5221 IN SOA a.root-servers.net. > > nstld.verisign-grs.com. 2010051600 1800 900 604800 86400 > > . 5221 IN RRSIG SOA 8 0 86400 > 20100523070000 > > 20100516060000 55138 . > > KTwve6TiQ6ShXCfEcbYusFWOCsx+IwCUumBr4GnwnNq1eqs7tqQaHqkJ > > T/ewcvjXvRGOmHjhGRgqkdESse+/fa+tz1sSdvMsTGGI2Ba9/Fbb43Ty > > eqsG5cFxbqfXOpwlA4ab9IR2Vkod6genONeYO6rrm2edNwQrf56wrtJr CNM= > > . 5221 IN RRSIG NSEC 8 0 86400 > > 20100523070000 20100516060000 55138 . > > uIgAQvJUyLjAPwb7zB8wcJ4wk++21g+iF/bJGlpvz4iUJOMwkPgqA2s/ > > A8W0MhxBjo7918xg6yJeqYwXB+rGG14F7UZfOBVlXIqno5/kXzi4Carh > > /8sulBMyHbFmVlOht5SLU230ROaI6+4o0B6IRyiP5Vzgjt00zyFu26Rg Yb8= > > . 5221 IN NSEC ac. NS SOA RRSIG NSEC > DNSKEY > > ws. 5221 IN RRSIG NSEC 8 1 86400 > > 20100523070000 20100516060000 55138 . > > KsvM0PTDqWt0yoJNZ4k1UGTw0UtJZxsZa17bDHAyY7w1eocZlCqGJNd8 > > 2/WDeJMfCkM+MakJLblnixlI6QcNYV6ctrKZkNuA/iX2rwapouVYoC7G > > HxvBLnb5TFWkCML+fhgOWza8RmRnCTY593uBgsPtcgEfTZAzYB+QFCEP 6oI= > > ws. 5221 IN NSEC æµè¯. NS RRSIG NSEC > > ;; Query time: 11 msec > > ;; SERVER: 127.0.0.1#53(127.0.0.1) > > ;; WHEN: Sun May 16 11:02:43 2010 > > ;; MSG SIZE rcvd: 641 > > > > =============================================================== > > On Wed, May 5, 2010 at 2:23 PM, Joe Abley <joe.ab...@icann.org> wrote: > > > >> Root Zone DNSSEC Deployment > >> Technical Status Update 2010-05-05 > >> > >> This is the sixth of a series of technical status updates intended > >> to inform a technical audience on progress in signing the root zone > >> of the DNS. > >> > >> > >> ** The final transition to a signed root zone took place today > >> ** on J-Root, between 1700--1900 UTC. > >> ** > >> ** All root servers are now serving a signed root zone. > >> ** > >> ** All root servers will now generate larger responses to DNS > >> ** queries that request DNSSEC information. > >> ** > >> ** If you experience technical problems or need to contact > >> ** technical project staff, please send e-mail to roots...@icann.org > >> ** or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred > >> ** if possible. > >> ** > >> ** See below for more details. > >> > >> > >> RESOURCES > >> > >> Details of the project, including documentation published to date, > >> can be found at <http://www.root-dnssec.org/>. > >> > >> We'd like to hear from you. If you have feedback for us, please > >> send it to roots...@icann.org. > >> > >> > >> DEPLOYMENT STATUS > >> > >> The incremental deployment of DNSSEC in the Root Zone is being > >> carried out first by serving a Deliberately Unvalidatable Root Zone > >> (DURZ), and subsequently by a conventionally signed root zone. > >> Discussion of the approach can be found in the document "DNSSEC > >> Deployment for the Root Zone", as well as in the technical presentations > >> delivered at RIPE, NANOG, IETF and ICANN meetings. > >> > >> All of the thirteen root servers have now made the transition to > >> the to the DURZ. No harmful effects have been identified. > >> > >> The final root server to make the transition, J-Root, started serving > >> the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05. > >> > >> Initial observations relating to this transition will be presented > >> and discussed at the DNS Working Group meeting at RIPE 60 in Prague > >> on 2010-05-06. > >> > >> > >> PLANNED DEPLOYMENT SCHEDULE > >> > >> Already completed: > >> > >> 2010-01-27: L starts to serve DURZ > >> > >> 2010-02-10: A starts to serve DURZ > >> > >> 2010-03-03: M, I start to serve DURZ > >> > >> 2010-03-24: D, K, E start to serve DURZ > >> > >> 2010-04-14: B, H, C, G, F start to serve DURZ > >> > >> 2010-05-05: J starts to serve DURZ > >> > >> To come: > >> > >> 2010-07-01: Distribution of validatable, production, signed root > >> zone; publication of root zone trust anchor > >> > >> (Please note that this schedule is tentative and subject to change > >> based on testing results or other unforeseen factors.) > >> > >> > >> > > >
