Internet Performance Delivered right to your inbox

First gTLD Signed: Dot Gov

Today is a historic day as the first gTLD has been signed. Only a few other top level domains, all of which are ccTLDs, have been signed to date. This step is part of the first phase of adoption. Authoritative DNS servers need to sign and publish their zones. The second part is for the resolvers on the Internet to validate the keys. Both systems working together will provide security in the DNS.

We have a test bed setup that you can try at http://dynamicnetworkservices.com/dnssec as a part of our commitment to seeing DNSSEC implemented.

To take a look, notice the “ad” specified in the flags section. It stands for authenticated data.

dig @recursive.dyn-dnssec.com gov. +dnssec

; <<>> DiG 9.3.4-P1.1 <<>> @recursive.dyn-dnssec.com gov. +dnssec

; (1 server found)

;; global options: printcmd

;; Got answer:

;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 22568

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;dnsops.gov. IN A

;; AUTHORITY SECTION:

dnsops.gov. 3491 IN SOA snip1.dnsops.gov. admin.dnsops.gov. 20081121 43200 43200 1209600 3600

dnsops.gov. 3491 IN RRSIG SOA 5 2 3600 20090225162416 20090126162416 30060 dnsops.gov. Rx7i6V7Q0hEGxmkGtwfqXKROuL4cR/7QaPjrYUuOgqPREysRfS2Sbuw5 MIKDFUpviB0w3cLyeUiDsH9rCzL14atqpeU47LMhmeaUYv6Jyr8bk7YE HoVQYwnF5/LpOrBjbKDDeLPV4hOIc+miyz8aXpobWnYhXjs/cAZ7TV8W Gt0=

dnsops.gov. 3491 IN RRSIG NSEC 5 2 3600 20090225162416 20090126162416 30060 dnsops.gov. gv9ce1tAOEjFqoYRI0muEuMKcuwCaE3htGcKLDo4adMub+5Bgt7on6Fp JIdM5QD4p8j4cl++uZn+Q1ky5iOTQZY+Od2kplzoDZ2RiNgORpfJtUq9 F7dR3pf/1MYraAa5lpQ3lmhNDWtqUe7F1V2w+bnjxMdJ0t0wC7iMSVvE A24=

dnsops.gov. 3491 IN NSEC antd.dnsops.gov. NS SOA MX RRSIG NSEC DNSKEY

For those who want to add the key to their resolver, add the follow key (and dnssec-enable yes; dnssec-validation yes;)


trusted-keys {
"gov." 257 3 7 "AwEAAZ1OCt7zZxeaROvzXNCNlqQWIi++p5ABXSoxqJ65WQko6xrI9RIm
K7IBT5roFhXjBDGJ8ld9CYIEN94kK83K/QwUGCJ+v3vIQFi09IqsPeRdHTQyghWWbhzAZpnlZ16imXB4
yFZjdbV2iM66KcgsESQMPEcIayDQJh6JEi1wmslrYvRRJ6YPOWrlLD0RmdtCaRuzlUE0RiWSem/i8vDF
dmsSwChRMcORklKqjqt1+RBIiEFJGKIz7lGc9DXRwkBfb+halii+jrELiZAPzfO7rf08l3QlgHEuxclT
TdEaxctPd2O2U/Hl9tRgkxRL/Zv1i0sEx2mOJGcUCeVm4Hf2aM8=";
};

The only concern right now is that the key is only published in the apex of their zone. Right now, there is no secured out of band channel to get it from (I pulled it from an email who got it in the zone data). This is a huge operational challenge as other TLDs become DNSSEC enabled.


Share Now