Internet Performance Delivered right to your inbox

First gTLD Signed: Dot Gov

Today is a historic day as the first gTLD has been signed. Only a few other top level domains, all of which are ccTLDs, have been signed to date. This step is part of the first phase of adoption. Authoritative DNS servers need to sign and publish their zones. The second part is for the resolvers on the Internet to validate the keys. Both systems working together will provide security in the DNS.

We have a test bed setup that you can try at as a part of our commitment to seeing DNSSEC implemented.

To take a look, notice the “ad” specified in the flags section. It stands for authenticated data.

dig gov. +dnssec

; <<>> DiG 9.3.4-P1.1 <<>> gov. +dnssec

; (1 server found)

;; global options: printcmd

;; Got answer:

;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 22568

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1


; EDNS: version: 0, flags: do; udp: 4096


; IN A

;; AUTHORITY SECTION: 3491 IN SOA 20081121 43200 43200 1209600 3600 3491 IN RRSIG SOA 5 2 3600 20090225162416 20090126162416 30060 Rx7i6V7Q0hEGxmkGtwfqXKROuL4cR/7QaPjrYUuOgqPREysRfS2Sbuw5 MIKDFUpviB0w3cLyeUiDsH9rCzL14atqpeU47LMhmeaUYv6Jyr8bk7YE HoVQYwnF5/LpOrBjbKDDeLPV4hOIc+miyz8aXpobWnYhXjs/cAZ7TV8W Gt0= 3491 IN RRSIG NSEC 5 2 3600 20090225162416 20090126162416 30060 gv9ce1tAOEjFqoYRI0muEuMKcuwCaE3htGcKLDo4adMub+5Bgt7on6Fp JIdM5QD4p8j4cl++uZn+Q1ky5iOTQZY+Od2kplzoDZ2RiNgORpfJtUq9 F7dR3pf/1MYraAa5lpQ3lmhNDWtqUe7F1V2w+bnjxMdJ0t0wC7iMSVvE A24= 3491 IN NSEC NS SOA MX RRSIG NSEC DNSKEY

For those who want to add the key to their resolver, add the follow key (and dnssec-enable yes; dnssec-validation yes;)

trusted-keys {
"gov." 257 3 7 "AwEAAZ1OCt7zZxeaROvzXNCNlqQWIi++p5ABXSoxqJ65WQko6xrI9RIm

The only concern right now is that the key is only published in the apex of their zone. Right now, there is no secured out of band channel to get it from (I pulled it from an email who got it in the zone data). This is a huge operational challenge as other TLDs become DNSSEC enabled.

Share Now