Today is a historic day as the first gTLD has been signed. Only a few other top level domains, all of which are ccTLDs, have been signed to date. This step is part of the first phase of adoption. Authoritative DNS servers need to sign and publish their zones. The second part is for the resolvers on the Internet to validate the keys. Both systems working together will provide security in the DNS.
We have a test bed setup that you can try at http://dynamicnetworkservices.com/dnssec as a part of our commitment to seeing DNSSEC implemented.
To take a look, notice the “ad” specified in the flags section. It stands for authenticated data.
dig @recursive.dyn-dnssec.com gov. +dnssec
; <<>> DiG 9.3.4-P1.1 <<>> @recursive.dyn-dnssec.com gov. +dnssec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 22568
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnsops.gov. IN A
;; AUTHORITY SECTION:
dnsops.gov. 3491 IN SOA snip1.dnsops.gov. admin.dnsops.gov. 20081121 43200 43200 1209600 3600
dnsops.gov. 3491 IN RRSIG SOA 5 2 3600 20090225162416 20090126162416 30060 dnsops.gov. Rx7i6V7Q0hEGxmkGtwfqXKROuL4cR/7QaPjrYUuOgqPREysRfS2Sbuw5 MIKDFUpviB0w3cLyeUiDsH9rCzL14atqpeU47LMhmeaUYv6Jyr8bk7YE HoVQYwnF5/LpOrBjbKDDeLPV4hOIc+miyz8aXpobWnYhXjs/cAZ7TV8W Gt0=
dnsops.gov. 3491 IN RRSIG NSEC 5 2 3600 20090225162416 20090126162416 30060 dnsops.gov. gv9ce1tAOEjFqoYRI0muEuMKcuwCaE3htGcKLDo4adMub+5Bgt7on6Fp JIdM5QD4p8j4cl++uZn+Q1ky5iOTQZY+Od2kplzoDZ2RiNgORpfJtUq9 F7dR3pf/1MYraAa5lpQ3lmhNDWtqUe7F1V2w+bnjxMdJ0t0wC7iMSVvE A24=
dnsops.gov. 3491 IN NSEC antd.dnsops.gov. NS SOA MX RRSIG NSEC DNSKEY
For those who want to add the key to their resolver, add the follow key (and
dnssec-enable yes; dnssec-validation yes;)
"gov." 257 3 7 "AwEAAZ1OCt7zZxeaROvzXNCNlqQWIi++p5ABXSoxqJ65WQko6xrI9RIm
The only concern right now is that the key is only published in the apex of their zone. Right now, there is no secured out of band channel to get it from (I pulled it from an email who got it in the zone data). This is a huge operational challenge as other TLDs become DNSSEC enabled.