Re: [dns-wg] DNSSEC: Signed zones list
-
From: Lutz Donnerhacke lutz@localhost
-
Date: Tue, 28 Feb 2006 12:27:16 +0000 (UTC)
-
Lines: 146
-
Newsgroups: iks.lists.ripe.dns-wg
-
Nntp-posting-date: Tue, 28 Feb 2006 12:27:16 +0000 (UTC)
-
Nntp-posting-host: taranis.iks-jena.de
-
Organization: IKS GmbH Jena
-
Path: not-for-mail
* Max Tulyev wrote:
> So what exactly I should do with this?
In your named.conf:
options {
...
dnssec-enable yes;
dnssec-lookaside "." trust-anchor "dnssec.iks-jena.de";
};
trusted-keys {
"iks-jena.de." 257 3 5 "AQPRteOmx973cbeIMigT7nciz3dcbt8ssZPGOK2vtPQl
EaZO2fKgnm1Fo6FPWcGqKv6O1ZpjEw2upKVDnzwMCRHp
Ge0Qh2TawStviww/jxUtjoZom9Hy6uIkTvo7TxqnWg55
LoHlcsl1kxsF1PsM2Z88F1XhXSrUtkiQnViXbfzR0joD
E8xGJ9zRNuzr9Jik+bcv4S4KFOE/Ocn4F5vF7+eojz9m
3/u0gvQdvgFsb7OHr9cYA5GeG++cJWGG6xFF+yWEDdWu
u2A7IJM3EQFWLr0kGDS6oWo/5Bz4PlrURjU5wahM1iwL
nbKXhQQempzPYnSEs1CW+KH73WjMa76Dna9B";
};
What happens now?
Image you query the A record for coruscant.dyn.niconet.se.
�
coruscant.dyn.niconet.se. 38 IN A 213.114.39.13
coruscant.dyn.niconet.se. 38 IN RRSIG A 5 4 60 20070120160745 (
20060119150745 651 dyn.niconet.se.
F5vLlZAn5k/Mtaw6PSzkxTaTtHS8myV95eEOugY5lepf
PJIiFbV5HiHZSDpoNXjAhzWzHY96+R0Wd7Qu2UUr3gDn
Z/YXoHzLqC3lzRS9HSVx9HzzPixjt0/8ChhEK0QMUuhh
lN8Xq90ayiUdtkK6jDM5CG27VjMbtr/de4475TSmBOut
m+Jd/B+E8s+OzHTNXphAM0LgGjhS1IZcpMoQyfPbosbD
K6VqD79nJdjzPZlmE2f0cFesELkJEHC1bcRA32W3BwI6
k+UB1T+yqf4TJj25BoTwfWVP/AEe4BHe1at44K6LDA2f
bQc9ibWFGup/O8S8IkcNi76AiA2XVibcjA== )
coruscant.dyn.niconet.se. 38 IN RRSIG A 5 4 60 20070120160745 (
20060119150745 65120 dyn.niconet.se.
T+4KN4Ol3e6cPLy7ue4wSd9VwnCWYLxvOSljCtWnQxKp
oCvrNjkkAV0j1AHHqI5nMK63mbyb+tUudq/3jFX5WhCl
hCaSWFNH+LIB5982VixgodqCUKJrUTfB2bB33ZD320PO
msa1H3bJ532Vf2BudACn40bNdjc87mW4sGwv9g7FzEJ0
yuEkem+fm0AAP2qKBXRkiTSJwo6I3LiwIWODJenAP8XZ
odhk+PWipFQSNhnPRd3tYIKUYHIOOUMaEFECTdtyTsaM
K8fIgE1AD6b6XjiQx9eDolIvDmSELc/K12L4qCWJbh84
burp6AXMm5TpzTCJMbXuc/xPZJIW7D2T/g== )
As you can see, it's signed! Let's check the signatures.
�
First we need the key. From the RRSIG entries both keys resides in the the
zone dyn.niconet.se. and has the key id 651 and 65120.
So let's retrieve those DNSKEYs.
dyn.niconet.se. 300 IN DNSKEY 256 3 5 (
AQOfq5czkMFmGPBCa8lXbM+yyNPfBQvn9Uomj3to07kz
NegN4gqPdfXy2lIhYJ9JF1wQ7bvG2J3fo1Ysu9E2AIn3
hdesGyiAEGXO1PJqMYmts/1tXtE2HQ8LNa+omo90Ph2O
5cJN5YKDXdYJ1fZzfJrpza6VHmSeXrVQMsQYx8nO69ns
rCtmMhopXp9I+Vvv9e7eG8/c4ji60AgigNGYro7GbUQQ
4YicoRL7USZiXEVWstzXXk+XQ+5IOny6+Q7rij7fdipM
CZ41vvJ2N0ETMfzZuYR3AcaWVauOxITVnobVZaFfZ5Us
5Id2FSyW8A1AvDPLMJNZWM23VBhNmmESCnrn
) ; key id = 65120
dyn.niconet.se. 300 IN DNSKEY 257 3 5 (
AQPCeNlj/rDZis8yPN8GI2WXJpnoIF1iIiS4xCc8gAJM
77pmuVEalUqhGhjykMA0uSrWrQu0nBl0FvFCp0vL4T+4
ZLT7Ug7KOTJauiiEuxj7IGNhHh7az6Q0KXf8Y8i1pvvA
PPWENZJqUgK1YMTJ6t/GTTGld4elhwz5a3vu2aAc2GpZ
MAqa9idTC8o8x1A8w9e3B7fr2cMwiMnyk3Mk+2SLZAxU
dk45S8gBuV0UEEUoU5viSkNOgxeaAprO7ORR/AJB/20V
EiJ9FAsfnjTcqR57GS5NMeh/cIVm46xBwjEdighCTimn
yBXmtwdj52hW843DK//9hO6gdEVn1Z84ezud
) ; key id = 651
dyn.niconet.se. 300 IN RRSIG DNSKEY 5 3 300 20061118080551 (
20051118080551 651 dyn.niconet.se.
cNbr1mwi0tCzPSGBdzQfWs7OjvgDIoKJNupf6Arnm4zX
5EpYDJO8v4XzM4QIrPTGHHEBBmjHYaCeRxbzh0sBf3MD
ZnD3feNMAXdTFRY+J3fLsZFtfpH8duBNmU3YM13y7B9j
ZT8mhLTkSPKTeecdNcSZpTy8UzRo/wYNpHnFzGafenwf
HUNls0qE+m9eR4+l5m006NBuLymgmVnVBcvMXRmcI0gZ
0wSNeIGtC3WOggE0Aknf47JWH09nt9PogdJ+0Eh2sg7p
Uf+wxfjLzbEiNjo3z+TdulUp6X774WnY+O0gaIMmxZmV
POybUM49UJsCgVXPGs1vn2MosPXa/8Mj2A== )
dyn.niconet.se. 300 IN RRSIG DNSKEY 5 3 300 20061118080551 (
20051118080551 65120 dyn.niconet.se.
PXQs5HGRmC3N3NSQVxxKEMy7IyJKqkzBmGnfQB7CDOEq
9BYzxlrU5o4yWktSgaDVy0yDhJYFPW0DU0WHV29TUmCm
aqV5oMvuj328vSb4MGPIQFR58J2R8aRgj3FyeBcOQYfR
6UfFyN4o/ZHy8PvcUOFWrPlnereTkfrArIq97o5NrojE
RndF8v3h0kcdECJ/BgAvCFF4x4TnSHoIooMokfS86vmS
hUuI5W7afCI9qjkrB+RWtCpuKaeUqstdM188BTxqNAqP
acGhYICgpo2hmRfdhwAYmdlFjAaDD13hHn26pu/JLa0O
2bBUPEy4JKjKievm9MZz2eg9z5ClEtuSxA== )
There are two DNSKEYs and both are signed by each other. We can now check
the signature but are still unable to verify the trustworthy of the used keys.
�
So let's ask for chaining information from parent.
dyn.niconet.se. 300 IN DS 651 5 1 (
5AA71DA50AD09FA2857E4E695F4979056683F2BF )
dyn.niconet.se. 300 IN RRSIG DS 5 3 300 20070204110034 (
20060204110034 32669 niconet.se.
W0Dv73cO2I2DLMaDeUr0ROw1VuQ0/3ejrbH1PUDEVYzq
nAy93TQY8hlOoz3vPEDXupsOq/H+bvi/94G4ovCHGfD8
FlkNJwKE6KTu+8QcLJ+8K/08FVJbz30zcCZliA74 )
This is a signed fingerprint for key 651. The signing key has id 32669 in
zone niconet.se. Let's skip the dnskey query for niconet.se and ask the
parent directly.
�
niconet.se. 86094 IN DS 48132 5 1 (
14C1848A3B17143389613853CF06EEA76BEBD43F )
niconet.se. 86094 IN RRSIG DS 5 2 86400 20060305195120 (
20060227200552 17585 se.
RoDfJvvofrW5JJVYaZFEzFD3AUcAiPeNNgxBeVDJkiVG
J72SSIrDXI6wEwEiBE2JDiuyR6moduTB96O8CUlXflT8
8Llzdn1xAVM8p19lSwyJfxMIwDyXxeyi3XuSoRLdAhSV
gDqAUn1CIFfZkOI9TvnLqmurvAhryQDabQ2SgCo= )
The signing key is 17585 in zone se. There is no signed fingerprint for the
zone se on the root servers. So we have a secure entry point for with we
have to check the trustworthyness.
�
There are two possibilities:
a) Find a different way to obtain the key directly from the se-maintainers.
Install this key as "trusted-keys".
b) Use a lookaside zone by querying for DLV from se.dnssec.iks-jena.de.
se.dnssec.iks-jena.de. 57600 IN DLV 17686 5 1 (
9E5E81A0B71A9B6B251077F700AA730E18D712EF )
se.dnssec.iks-jena.de. 57600 IN RRSIG DLV 5 4 57600 20060324223850 (
20060222223850 890 dnssec.iks-jena.de.
JShT4Nd3TS+nVLEWhm9pwpIiBncDXj3USKrwo8jLCfhD
nHhyYEntZcg4UkSKLanhPVW83cVRGAnT/bYuT2qXct1B
+k8DNPbaff0CNX0coSAim6CzJlf0ICOVM3GZELT2NtNw
9pd0lZ+289eUIhsvW8xEZ1oZLB0e6clde28BKqI= )
This is a signed fingerprint (same format as DS) for the key 17686 from se.
It is signed by key 890 from dnssec.iks-jena.de. In turn this key is signed
by 41517 from dnssec.iks-jena.de. which has a fingerprint signed by 52706
from iks-jena.de. In turn this key is signed by 30258 from iks-jena.de.
And finally this very last key is marked as trustworthy by your local
configuration. Have fun!
|
you are here: 
