From owner-freebsd-questions@FreeBSD.ORG Mon Apr 19 15:52:30 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 680951065677 for ; Mon, 19 Apr 2010 15:52:30 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from mail-ew0-f224.google.com (mail-ew0-f224.google.com [209.85.219.224]) by mx1.freebsd.org (Postfix) with ESMTP id E8B988FC25 for ; Mon, 19 Apr 2010 15:52:29 +0000 (UTC) Received: by ewy24 with SMTP id 24so1470842ewy.33 for ; Mon, 19 Apr 2010 08:52:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=Xh3JdZt6Ld/h6gsdDDZmwNo22kN2usTmKHG2hGt2Xf8=; b=OQxYg64OyOskk2yKmIMPt/MCIWIiq+YRHyBR7iV4LgrJjRXcpxH6iyGwu9fQ1Or+l/ gkFbinwKoc6sf+z9vS4vpwVVhtwePD/VnbvDABNRsScUr+9IHEhifmirkXcSo5cJT6Bw AL0Lz/D+r/L9VBP9q0efBnMwsy57fc1R1mSYY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=tvII5xv2il5r2EWyMPnhSFoJ7fI6CDCCUZXmSFbmJoGTHLUL3O9wDHGoqSf2kp04Xl yhiHrt7w1t4iYX0R65pDUi9fc7H8ggBUS+HG+LuJa47YUMlOrHoo5ABTejvGRw9WVSG3 oj5OO7kfXoj+sO+Q+xLOrkWgZPJzN8UTEohZE= MIME-Version: 1.0 Received: by 10.239.165.129 with HTTP; Mon, 19 Apr 2010 08:52:26 -0700 (PDT) In-Reply-To: References: <20100419145615.48204.qmail@joyce.lan> Date: Mon, 19 Apr 2010 16:52:26 +0100 Received: by 10.239.142.205 with SMTP id h13mr473247hba.213.1271692346824; Mon, 19 Apr 2010 08:52:26 -0700 (PDT) Message-ID: From: krad To: "John R. Levine" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: DJB and root ns server dnssec signing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2010 15:52:30 -0000 On 19 April 2010 16:06, John R. Levine wrote: > I think watch i really need to do is find a root ns that is already serving >> signed records then limit djb to that, and then i can do some testing. My >> gut feeling is that it will be ok, but its no where near 90% let alone >> 100% >> which is why im nervous. PR nightmare if it does go wrong >> > > The roots all return the same thing, but you might try some experiments > using requests to the tiny .MUSEUM domain which has been signed for a while. > > R's, > John > ok this is the bit that worries me Bind server on public ip (not firewalled) # /usr/local/bind-9.7.0-P1/bin/dig @127.0.0.1 museum ; <<>> DiG 9.7.0-P1 <<>> @127.0.0.1 museum ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33867 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;museum. IN A ;; AUTHORITY SECTION: museum. 3485 IN SOA nic.museum. hostmaster.nic.museum. 2010041637 28800 7200 1209600 3600 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Apr 19 16:51:17 2010 ;; MSG SIZE rcvd: 75 querying the djb public server # /usr/local/bind-9.7.0-P1/bin/dig @djbcache museum ; <<>> DiG 9.7.0-P1 <<>> @mk-cache-7.ns.uk.tiscali.com museum ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10827 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;museum. IN A ;; Query time: 1 msec ;; SERVER: 212.139.132.43#53(212.139.132.43) ;; WHEN: Mon Apr 19 16:52:01 2010 ;; MSG SIZE rcvd: 24