[dns-wg] DNSSEC: Signed zones list
- Previous message (by thread): [dns-wg] DNSSEC: Signed zones list
- Next message (by thread): [dns-wg] DNSSEC: Signed zones list
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jeroen Massar
jeroen at unfix.org
Mon Feb 27 13:07:36 CET 2006
On Mon, 2006-02-27 at 14:30 +0300, Max Tulyev wrote: > > Another trick to delegate the maintaining work is to use a lookaside zone. > > There are two zones out there: dlv.verisignlab.com and dnssec.iks-jena.de. > > A lookaside zone is used by your DNS server to determine a "DS" record for > > an unknown zone. Consequently the lookaside zone does not contain records > > for chained zones. > > It's like black magic :( > > localhost bind # ping dlv.verisignlab.com > ping: unknown host dlv.verisignlab.com try adding an 's'. The above is a very nice example of a domainsquatter (also something where neither dnssec or tls can't help as anyone can register any domain) $ dig -t any dlv.verisignlabs.com ;; Truncated, retrying in TCP mode. [..] dlv.verisignlabs.com. 86400 IN NS ns1.dlv.verisignlabs.com. dlv.verisignlabs.com. 3600 IN DNSKEY 256 3 5 AQOlH7LDa3Sy/rK +WyqydkS94p1hWWhEyTdZhxwuz/1zPGqh8pc8lXNj tOqcVXNSQX1XCSJPhW8XylXlq8gLlyRiVUs+TBoKrGYs7VARuLqZZDW4 Utu +VuDsTCjxjtAgxH15KfJbmnpMP3ffQvDHzyj8F2Dw6aaLHAwot3eI YWOy7w== [..] > localhost bind # ping dnssec.iks-jena.de > ping: unknown host dnssec.iks-jena.de Doesn't have an A record, but does have a large number of others. Use the 'dig'. Greets, Jeroen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part URL: <https://lists.ripe.net/ripe/mail/archives/dns-wg/attachments/20060227/05f3b13c/attachment.sig>
- Previous message (by thread): [dns-wg] DNSSEC: Signed zones list
- Next message (by thread): [dns-wg] DNSSEC: Signed zones list
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]